From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+fa5414772d5c445dac3c@syzkaller.appspotmail.com,
Hyunwoo Kim <v4bel@theori.io>,
Herbert Xu <herbert@gondor.apana.org.au>,
Sabrina Dubroca <sd@queasysnail.net>,
Steffen Klassert <steffen.klassert@secunet.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 08/99] xfrm: Zero padding when dumping algos and encap
Date: Mon, 3 Apr 2023 16:08:31 +0200 [thread overview]
Message-ID: <20230403140356.366179636@linuxfoundation.org> (raw)
In-Reply-To: <20230403140356.079638751@linuxfoundation.org>
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 8222d5910dae08213b6d9d4bc9a7f8502855e624 ]
When copying data to user-space we should ensure that only valid
data is copied over. Padding in structures may be filled with
random (possibly sensitve) data and should never be given directly
to user-space.
This patch fixes the copying of xfrm algorithms and the encap
template in xfrm_user so that padding is zeroed.
Reported-by: syzbot+fa5414772d5c445dac3c@syzkaller.appspotmail.com
Reported-by: Hyunwoo Kim <v4bel@theori.io>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_user.c | 45 ++++++++++++++++++++++++++++++++++++++++----
1 file changed, 41 insertions(+), 4 deletions(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 5fba82757ce5e..eb0952dbf4236 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -906,7 +906,9 @@ static int copy_to_user_aead(struct xfrm_algo_aead *aead, struct sk_buff *skb)
return -EMSGSIZE;
ap = nla_data(nla);
- memcpy(ap, aead, sizeof(*aead));
+ strscpy_pad(ap->alg_name, aead->alg_name, sizeof(ap->alg_name));
+ ap->alg_key_len = aead->alg_key_len;
+ ap->alg_icv_len = aead->alg_icv_len;
if (redact_secret && aead->alg_key_len)
memset(ap->alg_key, 0, (aead->alg_key_len + 7) / 8);
@@ -926,7 +928,8 @@ static int copy_to_user_ealg(struct xfrm_algo *ealg, struct sk_buff *skb)
return -EMSGSIZE;
ap = nla_data(nla);
- memcpy(ap, ealg, sizeof(*ealg));
+ strscpy_pad(ap->alg_name, ealg->alg_name, sizeof(ap->alg_name));
+ ap->alg_key_len = ealg->alg_key_len;
if (redact_secret && ealg->alg_key_len)
memset(ap->alg_key, 0, (ealg->alg_key_len + 7) / 8);
@@ -937,6 +940,40 @@ static int copy_to_user_ealg(struct xfrm_algo *ealg, struct sk_buff *skb)
return 0;
}
+static int copy_to_user_calg(struct xfrm_algo *calg, struct sk_buff *skb)
+{
+ struct nlattr *nla = nla_reserve(skb, XFRMA_ALG_COMP, sizeof(*calg));
+ struct xfrm_algo *ap;
+
+ if (!nla)
+ return -EMSGSIZE;
+
+ ap = nla_data(nla);
+ strscpy_pad(ap->alg_name, calg->alg_name, sizeof(ap->alg_name));
+ ap->alg_key_len = 0;
+
+ return 0;
+}
+
+static int copy_to_user_encap(struct xfrm_encap_tmpl *ep, struct sk_buff *skb)
+{
+ struct nlattr *nla = nla_reserve(skb, XFRMA_ENCAP, sizeof(*ep));
+ struct xfrm_encap_tmpl *uep;
+
+ if (!nla)
+ return -EMSGSIZE;
+
+ uep = nla_data(nla);
+ memset(uep, 0, sizeof(*uep));
+
+ uep->encap_type = ep->encap_type;
+ uep->encap_sport = ep->encap_sport;
+ uep->encap_dport = ep->encap_dport;
+ uep->encap_oa = ep->encap_oa;
+
+ return 0;
+}
+
static int xfrm_smark_put(struct sk_buff *skb, struct xfrm_mark *m)
{
int ret = 0;
@@ -992,12 +1029,12 @@ static int copy_to_user_state_extra(struct xfrm_state *x,
goto out;
}
if (x->calg) {
- ret = nla_put(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg);
+ ret = copy_to_user_calg(x->calg, skb);
if (ret)
goto out;
}
if (x->encap) {
- ret = nla_put(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap);
+ ret = copy_to_user_encap(x->encap, skb);
if (ret)
goto out;
}
--
2.39.2
next prev parent reply other threads:[~2023-04-03 14:31 UTC|newest]
Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-03 14:08 [PATCH 5.15 00/99] 5.15.106-rc1 review Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 01/99] fsverity: dont drop pagecache at end of FS_IOC_ENABLE_VERITY Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 02/99] usb: dwc3: gadget: move cmd_endtransfer to extra function Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 03/99] usb: dwc3: gadget: Add 1ms delay after end transfer command without IOC Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 04/99] kernel: kcsan: kcsan_test: build without structleak plugin Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 05/99] kcsan: avoid passing -g for test Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 06/99] ksmbd: dont terminate inactive sessions after a few seconds Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 07/99] bus: imx-weim: fix branch condition evaluates to a garbage value Greg Kroah-Hartman
2023-04-03 14:08 ` Greg Kroah-Hartman [this message]
2023-04-03 14:08 ` [PATCH 5.15 09/99] ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 10/99] md: avoid signed overflow in slot_store() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 11/99] x86/PVH: obtain VGA console info in Dom0 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 12/99] net: hsr: Dont log netdev_err message on unknown prp dst node Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 13/99] ALSA: asihpi: check pao in control_message() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 14/99] ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 15/99] fbdev: tgafb: Fix potential divide by zero Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 16/99] sched_getaffinity: dont assume cpumask_size() is fully initialized Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 17/99] fbdev: nvidia: Fix potential divide by zero Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 18/99] fbdev: intelfb: " Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 19/99] fbdev: lxfb: " Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 20/99] fbdev: au1200fb: " Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 21/99] tools/power turbostat: Fix /dev/cpu_dma_latency warnings Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 22/99] tools/power turbostat: fix decoding of HWP_STATUS Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 23/99] tracing: Fix wrong return in kprobe_event_gen_test.c Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 24/99] ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 25/99] mips: bmips: BCM6358: disable RAC flush for TP1 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 26/99] ALSA: usb-audio: Fix recursive locking at XRUN during syncing Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 27/99] platform/x86: think-lmi: add missing type attribute Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 28/99] platform/x86: think-lmi: use correct possible_values delimiters Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 29/99] platform/x86: think-lmi: only display possible_values if available Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 30/99] platform/x86: think-lmi: Add possible_values for ThinkStation Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 31/99] mtd: rawnand: meson: invalidate cache on polling ECC bit Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 32/99] SUNRPC: fix shutdown of NFS TCP client socket Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 33/99] sfc: ef10: dont overwrite offload features at NIC reset Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 34/99] scsi: megaraid_sas: Fix crash after a double completion Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 35/99] scsi: mpt3sas: Dont print sense pool info twice Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 36/99] ptp_qoriq: fix memory leak in probe() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 37/99] net: dsa: microchip: ksz8863_smi: fix bulk access Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 38/99] r8169: fix RTL8168H and RTL8107E rx crc error Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 39/99] regulator: Handle deferred clk Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 40/99] net/net_failover: fix txq exceeding warning Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 41/99] net: stmmac: dont reject VLANs when IFF_PROMISC is set Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 42/99] drm/i915/tc: Fix the ICL PHY ownership check in TC-cold state Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 43/99] platform/x86/intel/pmc: Alder Lake PCH slp_s0_residency fix Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 44/99] can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 45/99] s390/vfio-ap: fix memory leak in vfio_ap device driver Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 46/99] loop: suppress uevents while reconfiguring the device Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 47/99] loop: LOOP_CONFIGURE: send uevents for partitions Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 48/99] net: mvpp2: classifier flow fix fragmentation flags Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 49/99] net: mvpp2: parser fix QinQ Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 50/99] net: mvpp2: parser fix PPPoE Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 51/99] smsc911x: avoid PHY being resumed when interface is not up Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 52/99] ice: add profile conflict check for AVF FDIR Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 53/99] ice: fix invalid check for empty list in ice_sched_assoc_vsi_to_agg() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 54/99] ALSA: ymfpci: Create card with device-managed snd_devm_card_new() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 55/99] ALSA: ymfpci: Fix BUG_ON in probe function Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 56/99] net: ipa: compute DMA pool size properly Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 57/99] i40e: fix registers dump after run ethtool adapter self test Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 58/99] bnxt_en: Fix reporting of test result in ethtool selftest Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 59/99] bnxt_en: Fix typo in PCI id to device description string mapping Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 60/99] bnxt_en: Add missing 200G link speed reporting Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 61/99] net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 62/99] net: ethernet: mtk_eth_soc: fix flow block refcounting logic Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 63/99] pinctrl: ocelot: Fix alt mode for ocelot Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 64/99] iommu/vt-d: Allow zero SAGAW if second-stage not supported Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 65/99] Input: alps - fix compatibility with -funsigned-char Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 66/99] Input: focaltech - use explicitly signed char type Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 67/99] cifs: prevent infinite recursion in CIFSGetDFSRefer() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 68/99] cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 69/99] Input: goodix - add Lenovo Yoga Book X90F to nine_bytes_report DMI table Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 70/99] btrfs: fix race between quota disable and quota assign ioctls Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 71/99] btrfs: scan device in non-exclusive mode Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 72/99] zonefs: Always invalidate last cached page on append write Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 73/99] can: j1939: prevent deadlock by moving j1939_sk_errqueue() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 74/99] xen/netback: dont do grant copy across page boundary Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 75/99] net: phy: dp83869: fix default value for tx-/rx-internal-delay Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 76/99] pinctrl: amd: Disable and mask interrupts on resume Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 77/99] pinctrl: at91-pio4: fix domain name assignment Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 78/99] powerpc: Dont try to copy PPR for task with NULL pt_regs Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 79/99] NFSv4: Fix hangs when recovering open state after a server reboot Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 80/99] ALSA: hda/conexant: Partial revert of a quirk for Lenovo Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 81/99] ALSA: usb-audio: Fix regression on detection of Roland VS-100 Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 82/99] ALSA: hda/realtek: Add quirks for some Clevo laptops Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 83/99] ALSA: hda/realtek: Add quirk for Lenovo ZhaoYang CF4620Z Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 84/99] xtensa: fix KASAN report for show_stack Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 85/99] rcu: Fix rcu_torture_read ftrace event Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 86/99] drm/etnaviv: fix reference leak when mmaping imported buffer Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 87/99] drm/amd/display: Add DSC Support for Synaptics Cascaded MST Hub Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 88/99] KVM: arm64: Disable interrupts while walking userspace PTs Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 89/99] s390/uaccess: add missing earlyclobber annotations to __clear_user() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 90/99] KVM: VMX: Move preemption timer <=> hrtimer dance to common x86 Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 91/99] KVM: x86: Inject #GP on x2APIC WRMSR that sets reserved bits 63:32 Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 92/99] KVM: x86: Purge "highest ISR" cache when updating APICv state Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 93/99] zonefs: Fix error message in zonefs_file_dio_append() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 94/99] selftests/bpf: Test btf dump for struct with padding only fields Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 95/99] libbpf: Fix BTF-to-C converters padding logic Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 96/99] selftests/bpf: Add few corner cases to test padding handling of btf_dump Greg Kroah-Hartman
2023-04-03 14:10 ` [PATCH 5.15 97/99] libbpf: Fix btf_dumps packed struct determination Greg Kroah-Hartman
2023-04-03 14:10 ` [PATCH 5.15 98/99] hsr: ratelimit only when errors are printed Greg Kroah-Hartman
2023-04-03 14:10 ` [PATCH 5.15 99/99] x86/PVH: avoid 32-bit build warning when obtaining VGA console info Greg Kroah-Hartman
2023-04-03 22:59 ` [PATCH 5.15 00/99] 5.15.106-rc1 review Shuah Khan
2023-04-04 2:06 ` Florian Fainelli
2023-04-04 2:41 ` Bagas Sanjaya
2023-04-04 10:05 ` Naresh Kamboju
2023-04-04 10:55 ` Chris Paterson
2023-04-04 21:21 ` Guenter Roeck
2023-04-05 6:08 ` Harshit Mogalapalli
2023-04-05 8:49 ` Ron Economos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230403140356.366179636@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=sd@queasysnail.net \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
--cc=syzbot+fa5414772d5c445dac3c@syzkaller.appspotmail.com \
--cc=v4bel@theori.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox