From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail-cys01nam02hn0225.outbound.protection.outlook.com ([104.47.37.225]:62272
        "EHLO NAM02-CY1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1754881AbeARVBV (ORCPT <rfc822;stable@vger.kernel.org>);
        Thu, 18 Jan 2018 16:01:21 -0500
From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>,
        "stable-commits@vger.kernel.org" <stable-commits@vger.kernel.org>
CC: Andy Whitcroft <apw@canonical.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [added to the 4.1 stable tree] xfrm_user: validate XFRM_MSG_NEWAE
 incoming ESN size harder
Date: Thu, 18 Jan 2018 21:00:09 +0000
Message-ID: <20180118205908.3220-87-alexander.levin@microsoft.com>
References: <20180118205908.3220-1-alexander.levin@microsoft.com>
In-Reply-To: <20180118205908.3220-1-alexander.levin@microsoft.com>
Content-Language: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

From: Andy Whitcroft <apw@canonical.com>

This patch has been added to the  stable tree. If you have any
objections, please let us know.

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

[ Upstream commit f843ee6dd019bcece3e74e76ad9df0155655d0df ]

Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
wrapping issues.  To ensure we are correctly ensuring that the two ESN
structures are the same size compare both the overall size as reported
by xfrm_replay_state_esn_len() and the internal length are the same.

CVE-2017-7184
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
 net/xfrm/xfrm_user.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 177cb17cf09c..30593cadd428 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -386,7 +386,11 @@ static inline int xfrm_replay_verify_len(struct xfrm_r=
eplay_state_esn *replay_es
 	up =3D nla_data(rp);
 	ulen =3D xfrm_replay_state_esn_len(up);
=20
-	if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) !=3D ulen=
)
+	/* Check the overall length and the internal bitmap length to avoid
+	 * potential overflow. */
+	if (nla_len(rp) < ulen ||
+	    xfrm_replay_state_esn_len(replay_esn) !=3D ulen ||
+	    replay_esn->bmp_len !=3D up->bmp_len)
 		return -EINVAL;
=20
 	if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
--=20
2.11.0