From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>
Cc: Steffen Klassert <steffen.klassert@secunet.com>,
Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL for 4.4 30/36] xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies.
Date: Sun, 28 Jan 2018 22:28:45 +0000 [thread overview]
Message-ID: <20180128222815.29479-30-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20180128222815.29479-1-alexander.levin@microsoft.com>
From: Steffen Klassert <steffen.klassert@secunet.com>
[ Upstream commit 732706afe1cc46ef48493b3d2b69c98f36314ae4 ]
On policies with a transport mode template, we pass the addresses
from the flowi to xfrm_state_find(), assuming that the IP addresses
(and address family) don't change during transformation.
Unfortunately our policy template validation is not strict enough.
It is possible to configure policies with transport mode template
where the address family of the template does not match the selectors
address family. This lead to stack-out-of-bound reads because
we compare arddesses of the wrong family. Fix this by refusing
such a configuration, address family can not change on transport
mode.
We use the assumption that, on transport mode, the first templates
address family must match the address family of the policy selector.
Subsequent transport mode templates must mach the address family of
the previous template.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
net/xfrm/xfrm_user.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 76944a4839a5..a3bf423313fb 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1376,11 +1376,14 @@ static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut,
static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
{
+ u16 prev_family;
int i;
if (nr > XFRM_MAX_DEPTH)
return -EINVAL;
+ prev_family = family;
+
for (i = 0; i < nr; i++) {
/* We never validated the ut->family value, so many
* applications simply leave it at zero. The check was
@@ -1392,6 +1395,12 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
if (!ut[i].family)
ut[i].family = family;
+ if ((ut[i].mode == XFRM_MODE_TRANSPORT) &&
+ (ut[i].family != prev_family))
+ return -EINVAL;
+
+ prev_family = ut[i].family;
+
switch (ut[i].family) {
case AF_INET:
break;
--
2.11.0
next prev parent reply other threads:[~2018-01-28 22:29 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-28 22:28 [PATCH AUTOSEL for 4.4 01/36] usb: build drivers/usb/common/ when USB_SUPPORT is set Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 02/36] ARM: OMAP2+: Fix SRAM virt to phys translation for save_secure_ram_context Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 03/36] ARM: AM33xx: PRM: Remove am33xx_pwrdm_read_prev_pwrst function Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 04/36] ARM: dts: Fix omap4 hang with GPS connected to USB by using wakeupgen Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 05/36] ARM: dts: am4372: Correct the interrupts_properties of McASP Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 06/36] perf top: Fix window dimensions change handling Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 07/36] perf bench numa: Fixup discontiguous/sparse numa nodes Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 08/36] media: s5k6aa: describe some function parameters Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 09/36] pinctrl: sunxi: Fix A80 interrupt pin bank Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 10/36] RDMA/cma: Make sure that PSN is not over max allowed Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 11/36] scripts/kernel-doc: Don't fail with status != 0 if error encountered with -none Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 13/36] m68k: add missing SOFTIRQENTRY_TEXT linker section Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 12/36] ipvlan: Add the skb->mark as flow4's member to lookup route Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 14/36] powerpc/perf: Fix oops when grouping different pmu events Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 15/36] s390/dasd: prevent prefix I/O error Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 16/36] gianfar: fix a flooded alignment reports because of padding issue Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 17/36] net_sched: red: Avoid devision by zero Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 18/36] net_sched: red: Avoid illegal values Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 19/36] dccp: CVE-2017-8824: use-after-free in DCCP code Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 20/36] btrfs: Fix possible off-by-one in btrfs_search_path_in_tree Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 22/36] dmaengine: ioat: Fix error handling path Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 21/36] 509: fix printing uninitialized stack memory when OID is empty Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 23/36] dmaengine: at_hdmac: fix potential NULL pointer dereference in atc_prep_dma_interleaved Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 24/36] xfrm: Fix stack-out-of-bounds read on socket policy lookup Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 26/36] clk: fix a panic error caused by accessing NULL pointer Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 25/36] netfilter: nfnetlink_cthelper: Add missing permission checks Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 27/36] netfilter: xt_osf: " Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 28/36] ASoC: rockchip: disable clock on error Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 29/36] spi: sun4i: disable clocks in the remove function Sasha Levin
2018-01-28 22:28 ` Sasha Levin [this message]
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 31/36] drm/armada: fix leak of crtc structure Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 32/36] dmaengine: jz4740: disable/unprepare clk if probe fails Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 34/36] x86/mm/kmmio: Fix mmiotrace for page unaligned addresses Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 35/36] xen: XEN_ACPI_PROCESSOR is Dom0-only Sasha Levin
2018-01-28 22:28 ` [PATCH AUTOSEL for 4.4 36/36] hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180128222815.29479-30-alexander.levin@microsoft.com \
--to=alexander.levin@microsoft.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).