From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755621AbdEEJLJ (ORCPT ); Fri, 5 May 2017 05:11:09 -0400 Received: from a.mx.secunet.com ([62.96.220.36]:41124 "EHLO a.mx.secunet.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753246AbdEEJLH (ORCPT ); Fri, 5 May 2017 05:11:07 -0400 Date: Fri, 5 May 2017 11:11:05 +0200 From: Steffen Klassert To: Andrey Konovalov CC: Herbert Xu , "David S. Miller" , netdev , LKML Subject: Re: net/key: slab-out-of-bounds in pfkey_compile_policy Message-ID: <20170505091105.GA9813@secunet.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-Originating-IP: [10.182.7.193] X-G-Data-MailSecurity-for-Exchange-State: 0 X-G-Data-MailSecurity-for-Exchange-Error: 0 X-G-Data-MailSecurity-for-Exchange-Sender: 23 X-G-Data-MailSecurity-for-Exchange-Server: d65e63f7-5c15-413f-8f63-c0d707471c93 X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 X-G-Data-MailSecurity-for-Exchange-Guid: EAFD1540-8077-40FE-B773-93CD5F011D52 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 02, 2017 at 06:45:03PM +0200, Andrey Konovalov wrote: > Hi, > > I've got the following error report while fuzzing the kernel with syzkaller. > > On commit d3b5d35290d729a2518af00feca867385a1b08fa (4.11). > > A reproducer and .config are attached. > > ================================================================== > BUG: KASAN: slab-out-of-bounds in pfkey_compile_policy+0x8e6/0xd40 at > addr ffff88006701f798 > Read of size 1280 by task a.out/4181 This bug was introduced twelve years ago... This patch is based just on code review, I don't have an option to function test this. But I see that we now exit with -EINVAL before the memcpy that causes the slab-out-of-bounds when using your reproducer, so it should at least fix the bug. Subject: [PATCH RFC] af_key: Fix slab-out-of-bounds in pfkey_compile_policy. The sadb_x_sec_len is stored in the unit 'byte divided by eight'. So we have to multiply this value by eight before we can do size checks. Otherwise we may get a slab-out-of-bounds when we memcpy the user sec_ctx. Fixes: df71837d502 ("[LSM-IPSec]: Security association restriction.") Reported-by: Andrey Konovalov Signed-off-by: Steffen Klassert --- net/key/af_key.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/key/af_key.c b/net/key/af_key.c index c1950bb..512dc43 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -3285,7 +3285,7 @@ static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt, p += pol->sadb_x_policy_len*8; sec_ctx = (struct sadb_x_sec_ctx *)p; if (len < pol->sadb_x_policy_len*8 + - sec_ctx->sadb_x_sec_len) { + sec_ctx->sadb_x_sec_len*8) { *dir = -EINVAL; goto out; } -- 2.7.4