From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>,
Timo Teras <timo.teras@iki.fi>,
Christophe Gouault <christophe.gouault@6wind.com>,
syzbot
<bot+c028095236fcb6f4348811565b75084c754dc729@syzkaller.appspotmail.com>,
Florian Westphal <fw@strlen.de>,
Steffen Klassert <steffen.klassert@secunet.com>,
Zubin Mithra <zsm@chromium.org>
Subject: [PATCH 4.4 076/105] xfrm: skip policies marked as dead while rehashing
Date: Sun, 1 Jul 2018 18:02:26 +0200 [thread overview]
Message-ID: <20180701153154.914240155@linuxfoundation.org> (raw)
In-Reply-To: <20180701153149.382300170@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit 862591bf4f519d1b8d859af720fafeaebdd0162a upstream.
syzkaller triggered following KASAN splat:
BUG: KASAN: slab-out-of-bounds in xfrm_hash_rebuild+0xdbe/0xf00 net/xfrm/xfrm_policy.c:618
read of size 2 at addr ffff8801c8e92fe4 by task kworker/1:1/23 [..]
Workqueue: events xfrm_hash_rebuild [..]
__asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
xfrm_hash_rebuild+0xdbe/0xf00 net/xfrm/xfrm_policy.c:618
process_one_work+0xbbf/0x1b10 kernel/workqueue.c:2112
worker_thread+0x223/0x1990 kernel/workqueue.c:2246 [..]
The reproducer triggers:
1016 if (error) {
1017 list_move_tail(&walk->walk.all, &x->all);
1018 goto out;
1019 }
in xfrm_policy_walk() via pfkey (it sets tiny rcv space, dump
callback returns -ENOBUFS).
In this case, *walk is located the pfkey socket struct, so this socket
becomes visible in the global policy list.
It looks like this is intentional -- phony walker has walk.dead set to 1
and all other places skip such "policies".
Ccing original authors of the two commits that seem to expose this
issue (first patch missed ->dead check, second patch adds pfkey
sockets to policies dumper list).
Fixes: 880a6fab8f6ba5b ("xfrm: configure policy hash table thresholds by netlink")
Fixes: 12a169e7d8f4b1c ("ipsec: Put dumpers on the dump list")
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Timo Teras <timo.teras@iki.fi>
Cc: Christophe Gouault <christophe.gouault@6wind.com>
Reported-by: syzbot <bot+c028095236fcb6f4348811565b75084c754dc729@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Zubin Mithra <zsm@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_policy.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -626,7 +626,8 @@ static void xfrm_hash_rebuild(struct wor
/* re-insert all policies by order of creation */
list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {
- if (xfrm_policy_id2dir(policy->index) >= XFRM_POLICY_MAX) {
+ if (policy->walk.dead ||
+ xfrm_policy_id2dir(policy->index) >= XFRM_POLICY_MAX) {
/* skip socket policies */
continue;
}
next prev parent reply other threads:[~2018-07-01 16:19 UTC|newest]
Thread overview: 106+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-01 16:01 [PATCH 4.4 000/105] 4.4.139-stable review Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 002/105] netfilter: ebtables: handle string from userspace with care Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 003/105] ipvs: fix buffer overflow with sync daemon and service Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 004/105] atm: zatm: fix memcmp casting Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 006/105] net/sonic: Use dma_mapping_error() Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 007/105] Revert "Btrfs: fix scrub to repair raid6 corruption" Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 008/105] tcp: do not overshoot window_clamp in tcp_rcv_space_adjust() Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 009/105] Btrfs: make raid6 rebuild retry more Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 011/105] bonding: re-evaluate force_primary when the primary slave name changes Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 012/105] tcp: verify the checksum of the first data segment in a new connection Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 013/105] ext4: update mtime in ext4_punch_hole even if no blocks are released Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 014/105] ext4: fix fencepost error in check for inode count overflow during resize Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 015/105] driver core: Dont ignore class_dir_create_and_add() failure Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 016/105] btrfs: scrub: Dont use inode pages for device replace Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 017/105] ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 018/105] ALSA: hda: add dock and led support for HP EliteBook 830 G5 Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 019/105] ALSA: hda: add dock and led support for HP ProBook 640 G4 Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 020/105] cpufreq: Fix new policy initialization during limits updates via sysfs Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 021/105] libata: zpodd: make arrays cdb static, reduces object code size Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 022/105] libata: zpodd: small read overflow in eject_tray() Greg Kroah-Hartman
2018-07-20 14:20 ` Ben Hutchings
2018-07-01 16:01 ` [PATCH 4.4 023/105] libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 024/105] w1: mxc_w1: Enable clock before calling clk_get_rate() on it Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 025/105] fs/binfmt_misc.c: do not allow offset overflow Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 026/105] x86/spectre_v1: Disable compiler optimizations over array_index_mask_nospec() Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 027/105] m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap() Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 028/105] serial: sh-sci: Use spin_{try}lock_irqsave instead of open coding version Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 029/105] signal/xtensa: Consistenly use SIGBUS in do_unaligned_user Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 030/105] usb: do not reset if a low-speed or full-speed device timed out Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 032/105] ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 033/105] ASoC: cirrus: i2s: Fix LRCLK configuration Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 035/105] lib/vsprintf: Remove atomic-unsafe support for %pCr Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 036/105] mips: ftrace: fix static function graph tracing Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 037/105] branch-check: fix long->int truncation when profiling branches Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 038/105] ipmi:bt: Set the timeout before doing a capabilities check Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 039/105] Bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw loader Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 040/105] fuse: atomic_o_trunc should truncate pagecache Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 041/105] fuse: dont keep dead fuse_conn at fuse_fill_super() Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 042/105] fuse: fix control dir setup and teardown Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 043/105] powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 044/105] powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 045/105] powerpc/ptrace: Fix enforcement of DAWR constraints Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 046/105] cpuidle: powernv: Fix promotion from snooze if next state disabled Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 047/105] powerpc/fadump: Unregister fadump on kexec down path Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 048/105] ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 4.4 049/105] of: unittest: for strings, account for trailing \0 in property length field Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 050/105] IB/qib: Fix DMA api warning with debug kernel Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 051/105] RDMA/mlx4: Discard unknown SQP work requests Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 052/105] mtd: cfi_cmdset_0002: Change write buffer to check correct value Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 053/105] mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock() Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 054/105] mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 055/105] mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 056/105] mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 058/105] PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 059/105] MIPS: io: Add barrier after register read in inX() Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 061/105] Btrfs: fix clone vs chattr NODATASUM race Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 062/105] iio:buffer: make length types match kfifo types Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 063/105] scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 064/105] scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 065/105] scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 066/105] scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 067/105] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 068/105] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 069/105] scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 070/105] scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 071/105] linvdimm, pmem: Preserve read-only setting for pmem devices Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 072/105] md: fix two problems with setting the "re-add" device state Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 073/105] ubi: fastmap: Cancel work upon detach Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 074/105] UBIFS: Fix potential integer overflow in allocation Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 075/105] xfrm: Ignore socket policies when rebuilding hash tables Greg Kroah-Hartman
2018-07-01 16:02 ` Greg Kroah-Hartman [this message]
2018-07-01 16:02 ` [PATCH 4.4 077/105] backlight: as3711_bl: Fix Device Tree node lookup Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 078/105] backlight: max8925_bl: " Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 079/105] backlight: tps65217_bl: " Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 080/105] mfd: intel-lpss: Program REMAP register in PIO mode Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 081/105] perf tools: Fix symbol and object code resolution for vdso32 and vdsox32 Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 082/105] perf intel-pt: Fix sync_switch INTEL_PT_SS_NOT_TRACING Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 083/105] perf intel-pt: Fix decoding to accept CBR between FUP and corresponding TIP Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 084/105] perf intel-pt: Fix MTC timing after overflow Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 085/105] perf intel-pt: Fix "Unexpected indirect branch" error Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 086/105] perf intel-pt: Fix packet decoding of CYC packets Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 087/105] media: v4l2-compat-ioctl32: prevent go past max size Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 088/105] media: cx231xx: Add support for AverMedia DVD EZMaker 7 Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 089/105] media: dvb_frontend: fix locking issues at dvb_frontend_get_event() Greg Kroah-Hartman
2018-07-20 18:56 ` Ben Hutchings
2018-07-01 16:02 ` [PATCH 4.4 090/105] nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 091/105] NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 092/105] video: uvesafb: Fix integer overflow in allocation Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 093/105] Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 094/105] xen: Remove unnecessary BUG_ON from __unbind_from_irq() Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 095/105] udf: Detect incorrect directory size Greg Kroah-Hartman
2018-07-20 19:19 ` Ben Hutchings
2018-07-01 16:02 ` [PATCH 4.4 096/105] Input: elan_i2c_smbus - fix more potential stack buffer overflows Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 097/105] Input: elantech - enable middle button of touchpads on ThinkPad P52 Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 098/105] Input: elantech - fix V4 report decoding for module with middle key Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 099/105] ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210 Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 100/105] Btrfs: fix unexpected cow in run_delalloc_nocow Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 101/105] spi: Fix scatterlist elements size in spi_map_buf Greg Kroah-Hartman
2018-07-20 19:23 ` Ben Hutchings
2018-07-26 15:09 ` Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 102/105] block: Fix transfer when chunk sectors exceeds max Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 103/105] dm thin: handle running out of data space vs concurrent discard Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 4.4 105/105] Bluetooth: Fix connection if directed advertising and privacy is used Greg Kroah-Hartman
2018-07-01 19:38 ` [PATCH 4.4 000/105] 4.4.139-stable review Nathan Chancellor
2018-07-02 14:22 ` Naresh Kamboju
2018-07-02 16:31 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180701153154.914240155@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bot+c028095236fcb6f4348811565b75084c754dc729@syzkaller.appspotmail.com \
--cc=christophe.gouault@6wind.com \
--cc=fw@strlen.de \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
--cc=timo.teras@iki.fi \
--cc=zsm@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).