David Lebrun 55195563ec ipv6: sr: fix out-of-bounds read when setting HMAC data. ... [ Upstream commit 84a53580c5 ] The SRv6 layer allows defining HMAC data that can later be used to sign IPv6 Segment Routing Headers. This configuration is realised via netlink through four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual length of the SECRET attribute, it is possible to provide invalid combinations (e.g., secret = "", secretlen = 64). This case is not checked in the code and with an appropriately crafted netlink message, an out-of-bounds read of up to 64 bytes (max secret length) can occur past the skb end pointer and into skb_shared_info: Breakpoint 1, seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 208 memcpy(hinfo->secret, secret, slen); (gdb) bt #0 seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600, extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>, family=<optimized out>) at net/netlink/genetlink.c:731 #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00, family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775 #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792 #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>) at net/netlink/af_netlink.c:2501 #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803 #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000) at net/netlink/af_netlink.c:1319 #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=<optimized out>) at net/netlink/af_netlink.c:1345 #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at net/netlink/af_netlink.c:1921 ... (gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end $1 = 0xffff88800b1b76c0 (gdb) p/x secret $2 = 0xffff88800b1b76c0 (gdb) p slen $3 = 64 '@' The OOB data can then be read back from userspace by dumping HMAC state. This commit fixes this by ensuring SECRETLEN cannot exceed the actual length of SECRET. Reported-by: Lucas Leong <wmliang.tw@gmail.com> Tested: verified that EINVAL is correctly returned when secretlen > len(secret) Fixes: 4f4853dc1c ("ipv6: sr: implement API to control SR HMAC structure") Signed-off-by: David Lebrun <dlebrun@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>		2022-09-15 11:30:06 +02:00
..
6lowpan
9p	net/9p: Initialize the iounit field during fid creation	2022-08-17 14:24:23 +02:00
802
8021q	net: use eth_hw_addr_set() instead of ether_addr_copy()	2022-08-31 17:16:37 +02:00
appletalk
atm
ax25	net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg	2022-06-22 14:22:01 +02:00
batman-adv	batman-adv: Use netif_rx_any_context() any.	2022-07-29 17:25:07 +02:00
bluetooth	Bluetooth: L2CAP: Fix build errors in some archs	2022-09-05 10:30:06 +02:00
bpf	bpf: Don't redirect packets with invalid pkt_len	2022-09-05 10:30:07 +02:00
bpfilter
bridge	netfilter: br_netfilter: Drop dst references before setting.	2022-09-15 11:30:04 +02:00
caif
can	can: j1939: j1939_sk_queue_activate_next_locked(): replace WARN_ON_ONCE with netdev_warn_once()	2022-08-25 11:40:46 +02:00
ceph	libceph: fix potential use-after-free on linger ping and resends	2022-05-25 09:57:28 +02:00
core	tcp: TX zerocopy should not sense pfmemalloc status	2022-09-15 11:30:05 +02:00
dcb	net: dcb: disable softirqs in dcbnl_flush_dev()	2022-03-08 19:12:52 +01:00
dccp	dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock	2022-08-17 14:23:37 +02:00
decnet	net: Fix data-races around sysctl_[rw]mem(_offset)?.	2022-08-03 12:03:51 +02:00
dns_resolver
dsa	net: use eth_hw_addr_set() instead of ether_addr_copy()	2022-08-31 17:16:37 +02:00
ethernet
ethtool	ethtool: Fix get module eeprom fallback	2022-06-29 09:03:23 +02:00
hsr	net: use eth_hw_addr_set() instead of ether_addr_copy()	2022-08-31 17:16:37 +02:00
ieee802154	net: ieee802154: Return meaningful error codes from the netlink helpers	2022-02-08 18:34:09 +01:00
ife
ipv4	tcp: TX zerocopy should not sense pfmemalloc status	2022-09-15 11:30:05 +02:00
ipv6	ipv6: sr: fix out-of-bounds read when setting HMAC data.	2022-09-15 11:30:06 +02:00
iucv
kcm	kcm: fix strp_init() order and cleanup	2022-09-08 12:28:03 +02:00
key	af_key: Do not call xfrm_probe_algs in parallel	2022-08-31 17:16:36 +02:00
l2tp	ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg	2022-06-22 14:21:58 +02:00
l3mdev	l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu	2022-04-27 14:38:53 +02:00
lapb
llc	llc: only change llc->dev when bind() succeeds	2022-03-28 09:58:46 +02:00
mac80211	net: Use u64_stats_fetch_begin_irq() for stats fetch.	2022-09-08 12:28:07 +02:00
mac802154	net: mac802154: Fix a condition in the receive path	2022-09-08 12:28:07 +02:00
mctp	mctp: Fix check for dev_hard_header() result	2022-04-13 20:59:16 +02:00
mpls	net: Use u64_stats_fetch_begin_irq() for stats fetch.	2022-09-08 12:28:07 +02:00
mptcp	mptcp: Fix crash due to tcp_tsorted_anchor was initialized before release skb	2022-08-31 17:16:50 +02:00
ncsi	net/ncsi: check for error return from call to nla_put_u32	2022-01-05 12:42:37 +01:00
netfilter	netfilter: nf_conntrack_irc: Fix forged IP logic	2022-09-15 11:30:04 +02:00
netlabel	netlabel: fix out-of-bounds memory accesses	2022-04-13 20:59:10 +02:00
netlink	net: genl: fix error path memory leak in policy dumping	2022-08-25 11:40:25 +02:00
netrom	netrom: fix api breakage in nr_setsockopt()	2022-01-27 11:04:00 +01:00
nfc	NFC: NULL out the dev->rfkill to prevent UAF	2022-06-09 10:22:46 +02:00
nsh
openvswitch	openvswitch: fix memory leak at failed datapath creation	2022-09-08 12:28:02 +02:00
packet	net/af_packet: check len when min_header_len equals to 0	2022-09-05 10:30:12 +02:00
phonet	phonet: refcount leak in pep_sock_accep	2022-01-11 15:35:16 +01:00
psample
qrtr	net: qrtr: start MHI channel after endpoit creation	2022-08-25 11:40:29 +02:00
rds	rds: add missing barrier to release_refill	2022-08-25 11:39:54 +02:00
rfkill	rfkill: make new event layout opt-in	2022-04-08 14:23:00 +02:00
rose	rose: check NULL rose_loopback_neigh->loopback	2022-08-31 17:16:38 +02:00
rxrpc	rxrpc: Fix an insufficiently large sglist in rxkad_verify_packet_2()	2022-09-15 11:30:05 +02:00
sched	sch_sfb: Don't assume the skb is still around after enqueueing to child	2022-09-15 11:30:05 +02:00
sctp	sctp: leave the err path free in sctp_stream_init to sctp_stream_free	2022-08-03 12:03:54 +02:00
smc	net/smc: Remove redundant refcount increase	2022-09-08 12:28:03 +02:00
strparser
sunrpc	SUNRPC: RPC level errors should set task->tk_rpc_status	2022-08-31 17:16:37 +02:00
switchdev
tipc	tipc: fix shift wrapping bug in map_get()	2022-09-15 11:30:05 +02:00
tls	net/tls: Remove the context from the list in tls_device_down	2022-08-03 12:03:47 +02:00
unix	af_unix: Fix a data-race in unix_dgram_peer_wake_me().	2022-06-14 18:36:17 +02:00
vmw_vsock	vsock: Set socket state back to SS_UNCONNECTED in vsock_connect_timeout()	2022-08-25 11:40:11 +02:00
wireless	wifi: cfg80211: debugfs: fix return type in ht40allow_map_read()	2022-09-08 12:28:02 +02:00
x25	net/x25: Fix null-ptr-deref caused by x25_disconnect	2022-04-08 14:23:53 +02:00
xdp	xsk: Clear page contiguity bit when unmapping pool	2022-07-12 16:35:15 +02:00
xfrm	net: Fix data-races around netdev_max_backlog.	2022-08-31 17:16:42 +02:00
compat.c
devres.c
Kconfig
Makefile
socket.c	net: Fix a data-race around sysctl_somaxconn.	2022-08-31 17:16:45 +02:00
sysctl_net.c