From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:55624 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753302AbeDIT5m (ORCPT
        <rfc822;stable@vger.kernel.org>); Mon, 9 Apr 2018 15:57:42 -0400
Subject: Patch "af_key: Fix slab-out-of-bounds in pfkey_compile_policy." has been added to the 4.9-stable tree
To: steffen.klassert@secunet.com, alexander.levin@microsoft.com,
        andreyknvl@google.com, gregkh@linuxfoundation.org
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
From: <gregkh@linuxfoundation.org>
Date: Mon, 09 Apr 2018 21:57:23 +0200
Message-ID: <1523303843154213@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>


This is a note to let you know that I've just added the patch titled

    af_key: Fix slab-out-of-bounds in pfkey_compile_policy.

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     af_key-fix-slab-out-of-bounds-in-pfkey_compile_policy.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>>From foo@baz Mon Apr  9 17:09:24 CEST 2018
From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Fri, 5 May 2017 07:40:42 +0200
Subject: af_key: Fix slab-out-of-bounds in pfkey_compile_policy.

From: Steffen Klassert <steffen.klassert@secunet.com>


[ Upstream commit d90c902449a7561f1b1d58ba5a0d11728ce8b0b2 ]

The sadb_x_sec_len is stored in the unit 'byte divided by eight'.
So we have to multiply this value by eight before we can do
size checks. Otherwise we may get a slab-out-of-bounds when
we memcpy the user sec_ctx.

Fixes: df71837d502 ("[LSM-IPSec]: Security association restriction.")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/key/af_key.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3305,7 +3305,7 @@ static struct xfrm_policy *pfkey_compile
 		p += pol->sadb_x_policy_len*8;
 		sec_ctx = (struct sadb_x_sec_ctx *)p;
 		if (len < pol->sadb_x_policy_len*8 +
-		    sec_ctx->sadb_x_sec_len) {
+		    sec_ctx->sadb_x_sec_len*8) {
 			*dir = -EINVAL;
 			goto out;
 		}


Patches currently in stable-queue which might be from steffen.klassert@secunet.com are

queue-4.9/ipsec-check-return-value-of-skb_to_sgvec-always.patch
queue-4.9/skbuff-return-emsgsize-in-skb_to_sgvec-to-prevent-overflow.patch
queue-4.9/xfrm-fix-state-migration-copy-replay-sequence-numbers.patch
queue-4.9/af_key-fix-slab-out-of-bounds-in-pfkey_compile_policy.patch