All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	Shmulik Ladkani <shmulik.ladkani@gmail.com>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 22/37] xfrm: Fix oops in xfrm_replay_advance_bmp
Date: Tue,  2 Feb 2021 14:39:05 +0100	[thread overview]
Message-ID: <20210202132943.834015659@linuxfoundation.org> (raw)
In-Reply-To: <20210202132942.915040339@linuxfoundation.org>

From: Shmulik Ladkani <shmulik@metanetworks.com>

[ Upstream commit 56ce7c25ae1525d83cf80a880cf506ead1914250 ]

When setting xfrm replay_window to values higher than 32, a rare
page-fault occurs in xfrm_replay_advance_bmp:

  BUG: unable to handle page fault for address: ffff8af350ad7920
  #PF: supervisor write access in kernel mode
  #PF: error_code(0x0002) - not-present page
  PGD ad001067 P4D ad001067 PUD 0
  Oops: 0002 [#1] SMP PTI
  CPU: 3 PID: 30 Comm: ksoftirqd/3 Kdump: loaded Not tainted 5.4.52-050452-generic #202007160732
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
  RIP: 0010:xfrm_replay_advance_bmp+0xbb/0x130
  RSP: 0018:ffffa1304013ba40 EFLAGS: 00010206
  RAX: 000000000000010d RBX: 0000000000000002 RCX: 00000000ffffff4b
  RDX: 0000000000000018 RSI: 00000000004c234c RDI: 00000000ffb3dbff
  RBP: ffffa1304013ba50 R08: ffff8af330ad7920 R09: 0000000007fffffa
  R10: 0000000000000800 R11: 0000000000000010 R12: ffff8af29d6258c0
  R13: ffff8af28b95c700 R14: 0000000000000000 R15: ffff8af29d6258fc
  FS:  0000000000000000(0000) GS:ffff8af339ac0000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: ffff8af350ad7920 CR3: 0000000015ee4000 CR4: 00000000001406e0
  Call Trace:
   xfrm_input+0x4e5/0xa10
   xfrm4_rcv_encap+0xb5/0xe0
   xfrm4_udp_encap_rcv+0x140/0x1c0

Analysis revealed offending code is when accessing:

	replay_esn->bmp[nr] |= (1U << bitnr);

with 'nr' being 0x07fffffa.

This happened in an SMP system when reordering of packets was present;
A packet arrived with a "too old" sequence number (outside the window,
i.e 'diff > replay_window'), and therefore the following calculation:

			bitnr = replay_esn->replay_window - (diff - pos);

yields a negative result, but since bitnr is u32 we get a large unsigned
quantity (in crash dump above: 0xffffff4b seen in ecx).

This was supposed to be protected by xfrm_input()'s former call to:

		if (x->repl->check(x, skb, seq)) {

However, the state's spinlock x->lock is *released* after '->check()'
is performed, and gets re-acquired before '->advance()' - which gives a
chance for a different core to update the xfrm state, e.g. by advancing
'replay_esn->seq' when it encounters more packets - leading to a
'diff > replay_window' situation when original core continues to
xfrm_replay_advance_bmp().

An attempt to fix this issue was suggested in commit bcf66bf54aab
("xfrm: Perform a replay check after return from async codepaths"),
by calling 'x->repl->recheck()' after lock is re-acquired, but fix
applied only to asyncronous crypto algorithms.

Augment the fix, by *always* calling 'recheck()' - irrespective if we're
using async crypto.

Fixes: 0ebea8ef3559 ("[IPSEC]: Move state lock into x->type->input")
Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/xfrm/xfrm_input.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 0ee13d12782fb..fcba8a139f61e 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -420,7 +420,7 @@ resume:
 		/* only the first xfrm gets the encap type */
 		encap_type = 0;
 
-		if (async && x->repl->recheck(x, skb, seq)) {
+		if (x->repl->recheck(x, skb, seq)) {
 			XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR);
 			goto drop_unlock;
 		}
-- 
2.27.0




  parent reply	other threads:[~2021-02-02 14:49 UTC|newest]

Thread overview: 44+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-02 13:38 [PATCH 4.19 00/37] 4.19.173-rc1 review Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 01/37] nbd: freeze the queue while were adding connections Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 02/37] ACPI: sysfs: Prefer "compatible" modalias Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 03/37] kernel: kexec: remove the lock operation of system_transition_mutex Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 04/37] xen/privcmd: allow fetching resource sizes Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 05/37] ALSA: hda/via: Apply the workaround generically for Clevo machines Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 06/37] media: rc: ensure that uevent can be read directly after rc device register Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 07/37] ARM: dts: imx6qdl-gw52xx: fix duplicate regulator naming Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 08/37] wext: fix NULL-ptr-dereference with cfg80211s lack of commit() Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 09/37] net: usb: qmi_wwan: added support for Thales Cinterion PLSx3 modem family Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 10/37] PM: hibernate: flush swap writer after marking Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 11/37] drivers: soc: atmel: Avoid calling at91_soc_init on non AT91 SoCs Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 12/37] drivers: soc: atmel: add null entry at the end of at91_soc_allowed_list[] Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 13/37] KVM: x86/pmu: Fix HW_REF_CPU_CYCLES event pseudo-encoding in intel_arch_events[] Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 14/37] KVM: x86: get smi pending status correctly Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 15/37] xen: Fix XenStore initialisation for XS_LOCAL Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 16/37] leds: trigger: fix potential deadlock with libata Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 17/37] mt7601u: fix kernel crash unplugging the device Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 18/37] mt7601u: fix rx buffer refcounting Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 19/37] xen-blkfront: allow discard-* nodes to be optional Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 20/37] ARM: imx: build suspend-imx6.S with arm instruction set Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 21/37] netfilter: nft_dynset: add timeout extension to template Greg Kroah-Hartman
2021-02-02 13:39 ` Greg Kroah-Hartman [this message]
2021-02-02 13:39 ` [PATCH 4.19 23/37] xfrm: fix disable_xfrm sysctl when used on xfrm interfaces Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 24/37] RDMA/cxgb4: Fix the reported max_recv_sge value Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 25/37] pNFS/NFSv4: Fix a layout segment leak in pnfs_layout_process() Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 26/37] iwlwifi: pcie: use jiffies for memory read spin time limit Greg Kroah-Hartman
2021-02-03 20:42   ` Pavel Machek
2021-02-02 13:39 ` [PATCH 4.19 27/37] iwlwifi: pcie: reschedule in long-running memory reads Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 28/37] mac80211: pause TX while changing interface type Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 29/37] net/mlx5: Fix memory leak on flow table creation error flow Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 30/37] can: dev: prevent potential information leak in can_fill_info() Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 31/37] iommu/vt-d: Gracefully handle DMAR units with no supported address widths Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 32/37] iommu/vt-d: Dont dereference iommu_device if IOMMU_API is not built Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 33/37] rxrpc: Fix memory leak in rxrpc_lookup_local Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 34/37] NFC: fix resource leak when target index is invalid Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 35/37] NFC: fix possible resource leak Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 36/37] team: protect features update by RCU to avoid deadlock Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 37/37] tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN Greg Kroah-Hartman
2021-02-02 17:48 ` [PATCH 4.19 00/37] 4.19.173-rc1 review Pavel Machek
2021-02-02 20:21 ` Jon Hunter
2021-02-03  3:22 ` Naresh Kamboju
2021-02-03 15:42 ` Shuah Khan
2021-02-03 20:42 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210202132943.834015659@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sashal@kernel.org \
    --cc=shmulik.ladkani@gmail.com \
    --cc=stable@vger.kernel.org \
    --cc=steffen.klassert@secunet.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.