[PATCH ipsec-next] xfrm: fix possible null deref in xfrm_init_tempstate

[PATCH ipsec-next] xfrm: fix possible null deref in xfrm_init_tempstate

[Florian Westphal]

Dan reports following smatch warning:
 net/xfrm/xfrm_state.c:659
 error: we previously assumed 'afinfo' could be null (see line 651)

 649  struct xfrm_state_afinfo *afinfo = xfrm_state_afinfo_get_rcu(family);
 651  if (afinfo)
		...
 658  }
 659  afinfo->init_temprop(x, tmpl, daddr, saddr);

I am resonably sure afinfo cannot be NULL here.

xfrm_state4.c and state6.c are both part of ipv4/ipv6 (depends on
CONFIG_XFRM, a boolean) but even if ipv6 is a module state6.c can't
be removed (ipv6 lacks module_exit so it cannot be removed).

The only callers for xfrm6_fini that leads to state backend unregister
are error unwinding paths that can be called during ipv6 init function.

So after ipv6 module is loaded successfully the state backend cannot go
away anymore.

The family value from policy lookup path is taken from dst_entry, so
that should always be AF_INET(6).

However, since this silences the warning and avoids readers of this
code wondering about possible null deref it seems preferrable to
be defensive and just add the old check back.

Fixes: 711059b9752ad0 ("xfrm: add and use xfrm_state_afinfo_get_rcu")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index a62097e640b5..5a597dbbe564 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -648,8 +648,10 @@ xfrm_init_tempstate(struct xfrm_state *x, const struct flowi *fl,
 {
 	struct xfrm_state_afinfo *afinfo = xfrm_state_afinfo_get_rcu(family);
 
-	if (afinfo)
-		afinfo->init_tempsel(&x->sel, fl);
+	if (!afinfo)
+		return;
+
+	afinfo->init_tempsel(&x->sel, fl);
 
 	if (family != tmpl->encap_family) {
 		afinfo = xfrm_state_afinfo_get_rcu(tmpl->encap_family);
-- 
2.7.3

Re: [PATCH ipsec-next] xfrm: fix possible null deref in xfrm_init_tempstate

[Steffen Klassert]

On Fri, Jan 13, 2017 at 02:55:14PM +0100, Florian Westphal wrote:
> Dan reports following smatch warning:
>  net/xfrm/xfrm_state.c:659
>  error: we previously assumed 'afinfo' could be null (see line 651)
> 
>  649  struct xfrm_state_afinfo *afinfo = xfrm_state_afinfo_get_rcu(family);
>  651  if (afinfo)
> 		...
>  658  }
>  659  afinfo->init_temprop(x, tmpl, daddr, saddr);
> 
> I am resonably sure afinfo cannot be NULL here.
> 
> xfrm_state4.c and state6.c are both part of ipv4/ipv6 (depends on
> CONFIG_XFRM, a boolean) but even if ipv6 is a module state6.c can't
> be removed (ipv6 lacks module_exit so it cannot be removed).
> 
> The only callers for xfrm6_fini that leads to state backend unregister
> are error unwinding paths that can be called during ipv6 init function.
> 
> So after ipv6 module is loaded successfully the state backend cannot go
> away anymore.
> 
> The family value from policy lookup path is taken from dst_entry, so
> that should always be AF_INET(6).
> 
> However, since this silences the warning and avoids readers of this
> code wondering about possible null deref it seems preferrable to
> be defensive and just add the old check back.
> 
> Fixes: 711059b9752ad0 ("xfrm: add and use xfrm_state_afinfo_get_rcu")
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Florian Westphal <fw@strlen.de>

Applied to ipsec-next, thanks!