mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-11 11:09:13 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/xfrm
History
Florian Westphal 9d84284cc8 xfrm: refine validation of template and selector families 
commit 35e6103861 upstream.

The check assumes that in transport mode, the first templates family
must match the address family of the policy selector.

Syzkaller managed to build a template using MODE_ROUTEOPTIMIZATION,
with ipv4-in-ipv6 chain, leading to following splat:

BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x1db/0x1854
Read of size 4 at addr ffff888063e57aa0 by task a.out/2050
 xfrm_state_find+0x1db/0x1854
 xfrm_tmpl_resolve+0x100/0x1d0
 xfrm_resolve_and_create_bundle+0x108/0x1000 [..]

Problem is that addresses point into flowi4 struct, but xfrm_state_find
treats them as being ipv6 because it uses templ->encap_family is used
(AF_INET6 in case of reproducer) rather than family (AF_INET).

This patch inverts the logic: Enforce 'template family must match
selector' EXCEPT for tunnel and BEET mode.

In BEET and Tunnel mode, xfrm_tmpl_resolve_one will have remote/local
address pointers changed to point at the addresses found in the template,
rather than the flowi ones, so no oob read will occur.

Reported-by: 3ntr0py1337@gmail.com
Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-02-15 08:10:13 +01:00
..
Kconfig Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2018-07-27 09:33:37 -07:00
Makefile xfrm: Add virtual xfrm interfaces 2018-06-23 16:07:25 +02:00
xfrm_algo.c xfrm: use IS_ENABLED() instead of checking for built-in or module 2016-09-10 21:19:11 -07:00
xfrm_device.c xfrm: don't check offload_handle for nonzero 2018-07-19 10:18:04 +02:00
xfrm_hash.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xfrm_hash.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xfrm_input.c xfrm: Fix NULL pointer dereference in xfrm_input when skb_dst_force clears the dst_entry. 2019-01-13 09:50:57 +01:00
xfrm_interface.c xfrm: fix gro_cells leak when remove virtual xfrm interfaces 2018-10-02 08:11:45 +02:00
xfrm_ipcomp.c net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms() 2018-03-13 07:46:37 +01:00
xfrm_output.c xfrm: Fix error return code in xfrm_output_one() 2019-01-13 09:50:57 +01:00
xfrm_policy.c xfrm: Make set-mark default behavior backward compatible 2019-02-15 08:10:13 +01:00
xfrm_proc.c proc: introduce proc_create_net_single 2018-05-16 07:24:30 +02:00
xfrm_replay.c xfrm: Fix ESN sequence number handling for IPsec GSO packets. 2018-03-01 08:14:50 +01:00
xfrm_state.c xfrm: Fix bucket count reported to userspace 2019-01-13 09:50:57 +01:00
xfrm_sysctl.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xfrm_user.c xfrm: refine validation of template and selector families 2019-02-15 08:10:13 +01:00