* [PATCH ipsec] xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire
@ 2020-02-09 13:16 Xin Long
2020-02-13 9:56 ` Steffen Klassert
0 siblings, 1 reply; 2+ messages in thread
From: Xin Long @ 2020-02-09 13:16 UTC (permalink / raw)
To: netdev
Cc: Steffen Klassert, Herbert Xu, David S. Miller, Trent Jaeger,
Jamal Hadi Salim, Sabrina Dubroca, Hangbin Liu
Without doing verify_sec_ctx_len() check in xfrm_add_acquire(), it may be
out-of-bounds to access uctx->ctx_str with uctx->ctx_len, as noticed by
syz:
BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x237/0x430
Read of size 768 at addr ffff8880123be9b4 by task syz-executor.1/11650
Call Trace:
dump_stack+0xe8/0x16e
print_address_description.cold.3+0x9/0x23b
kasan_report.cold.4+0x64/0x95
memcpy+0x1f/0x50
selinux_xfrm_alloc_user+0x237/0x430
security_xfrm_policy_alloc+0x5c/0xb0
xfrm_policy_construct+0x2b1/0x650
xfrm_add_acquire+0x21d/0xa10
xfrm_user_rcv_msg+0x431/0x6f0
netlink_rcv_skb+0x15a/0x410
xfrm_netlink_rcv+0x6d/0x90
netlink_unicast+0x50e/0x6a0
netlink_sendmsg+0x8ae/0xd40
sock_sendmsg+0x133/0x170
___sys_sendmsg+0x834/0x9a0
__sys_sendmsg+0x100/0x1e0
do_syscall_64+0xe5/0x660
entry_SYSCALL_64_after_hwframe+0x6a/0xdf
So fix it by adding the missing verify_sec_ctx_len check there.
Fixes: 980ebd25794f ("[IPSEC]: Sync series - acquire insert")
Reported-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
net/xfrm/xfrm_user.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 38ff02d..e6cfaa6 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2276,6 +2276,9 @@ static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh,
err = verify_newpolicy_info(&ua->policy);
if (err)
goto free_state;
+ err = verify_sec_ctx_len(attrs);
+ if (err)
+ goto free_state;
/* build an XP */
xp = xfrm_policy_construct(net, &ua->policy, attrs, &err);
--
2.1.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH ipsec] xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire
2020-02-09 13:16 [PATCH ipsec] xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire Xin Long
@ 2020-02-13 9:56 ` Steffen Klassert
0 siblings, 0 replies; 2+ messages in thread
From: Steffen Klassert @ 2020-02-13 9:56 UTC (permalink / raw)
To: Xin Long
Cc: netdev, Herbert Xu, David S. Miller, Trent Jaeger,
Jamal Hadi Salim, Sabrina Dubroca, Hangbin Liu
On Sun, Feb 09, 2020 at 09:16:38PM +0800, Xin Long wrote:
> Without doing verify_sec_ctx_len() check in xfrm_add_acquire(), it may be
> out-of-bounds to access uctx->ctx_str with uctx->ctx_len, as noticed by
> syz:
>
> BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x237/0x430
> Read of size 768 at addr ffff8880123be9b4 by task syz-executor.1/11650
>
> Call Trace:
> dump_stack+0xe8/0x16e
> print_address_description.cold.3+0x9/0x23b
> kasan_report.cold.4+0x64/0x95
> memcpy+0x1f/0x50
> selinux_xfrm_alloc_user+0x237/0x430
> security_xfrm_policy_alloc+0x5c/0xb0
> xfrm_policy_construct+0x2b1/0x650
> xfrm_add_acquire+0x21d/0xa10
> xfrm_user_rcv_msg+0x431/0x6f0
> netlink_rcv_skb+0x15a/0x410
> xfrm_netlink_rcv+0x6d/0x90
> netlink_unicast+0x50e/0x6a0
> netlink_sendmsg+0x8ae/0xd40
> sock_sendmsg+0x133/0x170
> ___sys_sendmsg+0x834/0x9a0
> __sys_sendmsg+0x100/0x1e0
> do_syscall_64+0xe5/0x660
> entry_SYSCALL_64_after_hwframe+0x6a/0xdf
>
> So fix it by adding the missing verify_sec_ctx_len check there.
>
> Fixes: 980ebd25794f ("[IPSEC]: Sync series - acquire insert")
> Reported-by: Hangbin Liu <liuhangbin@gmail.com>
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
Also applied, thanks a lot!
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-02-13 9:56 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-09 13:16 [PATCH ipsec] xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire Xin Long
2020-02-13 9:56 ` Steffen Klassert
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.