From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: Sasha Levin To: "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" CC: Steffen Klassert , Sasha Levin Subject: [PATCH AUTOSEL for 3.18 003/102] af_key: Fix slab-out-of-bounds in pfkey_compile_policy. Date: Mon, 19 Mar 2018 16:11:27 +0000 Message-ID: <20180319161117.17833-3-alexander.levin@microsoft.com> References: <20180319161117.17833-1-alexander.levin@microsoft.com> In-Reply-To: <20180319161117.17833-1-alexander.levin@microsoft.com> Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: From: Steffen Klassert [ Upstream commit d90c902449a7561f1b1d58ba5a0d11728ce8b0b2 ] The sadb_x_sec_len is stored in the unit 'byte divided by eight'. So we have to multiply this value by eight before we can do size checks. Otherwise we may get a slab-out-of-bounds when we memcpy the user sec_ctx. Fixes: df71837d502 ("[LSM-IPSec]: Security association restriction.") Reported-by: Andrey Konovalov Tested-by: Andrey Konovalov Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin --- net/key/af_key.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/key/af_key.c b/net/key/af_key.c index 65cce8ceaead..64dbf0dbe358 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -3301,7 +3301,7 @@ static struct xfrm_policy *pfkey_compile_policy(struc= t sock *sk, int opt, p +=3D pol->sadb_x_policy_len*8; sec_ctx =3D (struct sadb_x_sec_ctx *)p; if (len < pol->sadb_x_policy_len*8 + - sec_ctx->sadb_x_sec_len) { + sec_ctx->sadb_x_sec_len*8) { *dir =3D -EINVAL; goto out; } --=20 2.14.1