All of lore.kernel.org
 help / color / mirror / Atom feed
* Re: Patch "net: xfrm: fix shift-out-of-bounds in xfrm_get_default" has been added to the 5.10-stable tree
       [not found] <16533236846953@kroah.com>
@ 2022-05-23 16:44 ` Greg KH
  0 siblings, 0 replies; only message in thread
From: Greg KH @ 2022-05-23 16:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: paskripkin, steffen.klassert, syzbot+b2be9dd8ca6f6c73ee2d,
	stable-commits

On Mon, May 23, 2022 at 06:34:44PM +0200, gregkh@linuxfoundation.org wrote:
> 
> This is a note to let you know that I've just added the patch titled
> 
>     net: xfrm: fix shift-out-of-bounds in xfrm_get_default
> 
> to the 5.10-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> The filename of the patch is:
>      net-xfrm-fix-shift-out-of-bounds-in-xfrm_get_default.patch
> and it can be found in the queue-5.10 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.
> 
> 
> >From 3c10ffddc61f8a1a59e29a110ba70b47e679206a Mon Sep 17 00:00:00 2001
> From: Pavel Skripkin <paskripkin@gmail.com>
> Date: Thu, 2 Sep 2021 22:04:00 +0300
> Subject: net: xfrm: fix shift-out-of-bounds in xfrm_get_default
> 
> From: Pavel Skripkin <paskripkin@gmail.com>
> 
> commit 3c10ffddc61f8a1a59e29a110ba70b47e679206a upstream.
> 
> Syzbot hit shift-out-of-bounds in xfrm_get_default. The problem was in
> missing validation check for user data.
> 
> up->dirmask comes from user-space, so we need to check if this value
> is less than XFRM_USERPOLICY_DIRMASK_MAX to avoid shift-out-of-bounds bugs.
> 
> Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy")
> Reported-and-tested-by: syzbot+b2be9dd8ca6f6c73ee2d@syzkaller.appspotmail.com
> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
>  net/xfrm/xfrm_user.c |    5 +++++
>  1 file changed, 5 insertions(+)
> 
> --- a/net/xfrm/xfrm_user.c
> +++ b/net/xfrm/xfrm_user.c
> @@ -1989,6 +1989,11 @@ static int xfrm_get_default(struct sk_bu
>  		return -EMSGSIZE;
>  	}
>  
> +	if (up->dirmask >= XFRM_USERPOLICY_DIRMASK_MAX) {
> +		kfree_skb(r_skb);
> +		return -EINVAL;
> +	}
> +
>  	r_up = nlmsg_data(r_nlh);
>  	r_up->in = net->xfrm.policy_default[XFRM_POLICY_IN];
>  	r_up->fwd = net->xfrm.policy_default[XFRM_POLICY_FWD];
> 
> 
> Patches currently in stable-queue which might be from paskripkin@gmail.com are
> 
> queue-5.10/net-xfrm-fix-shift-out-of-bounce.patch
> queue-5.10/net-xfrm-fix-shift-out-of-bounds-in-xfrm_get_default.patch

Nevermind, this breaks the build, now dropping it.

greg k-h

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2022-05-23 16:44 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <16533236846953@kroah.com>
2022-05-23 16:44 ` Patch "net: xfrm: fix shift-out-of-bounds in xfrm_get_default" has been added to the 5.10-stable tree Greg KH

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.