linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Steffen Klassert <steffen.klassert@secunet.com>,
	Sasha Levin <sashal@kernel.org>,
	netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.0 08/34] xfrm4: Fix uninitialized memory read in _decode_session4
Date: Thu, 16 May 2019 07:39:05 -0400	[thread overview]
Message-ID: <20190516113932.8348-8-sashal@kernel.org> (raw)
In-Reply-To: <20190516113932.8348-1-sashal@kernel.org>

From: Steffen Klassert <steffen.klassert@secunet.com>

[ Upstream commit 8742dc86d0c7a9628117a989c11f04a9b6b898f3 ]

We currently don't reload pointers pointing into skb header
after doing pskb_may_pull() in _decode_session4(). So in case
pskb_may_pull() changed the pointers, we read from random
memory. Fix this by putting all the needed infos on the
stack, so that we don't need to access the header pointers
after doing pskb_may_pull().

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/xfrm4_policy.c | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index d73a6d6652f60..2b144b92ae46a 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -111,7 +111,8 @@ static void
 _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
 {
 	const struct iphdr *iph = ip_hdr(skb);
-	u8 *xprth = skb_network_header(skb) + iph->ihl * 4;
+	int ihl = iph->ihl;
+	u8 *xprth = skb_network_header(skb) + ihl * 4;
 	struct flowi4 *fl4 = &fl->u.ip4;
 	int oif = 0;
 
@@ -122,6 +123,11 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
 	fl4->flowi4_mark = skb->mark;
 	fl4->flowi4_oif = reverse ? skb->skb_iif : oif;
 
+	fl4->flowi4_proto = iph->protocol;
+	fl4->daddr = reverse ? iph->saddr : iph->daddr;
+	fl4->saddr = reverse ? iph->daddr : iph->saddr;
+	fl4->flowi4_tos = iph->tos;
+
 	if (!ip_is_fragment(iph)) {
 		switch (iph->protocol) {
 		case IPPROTO_UDP:
@@ -133,7 +139,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
 			    pskb_may_pull(skb, xprth + 4 - skb->data)) {
 				__be16 *ports;
 
-				xprth = skb_network_header(skb) + iph->ihl * 4;
+				xprth = skb_network_header(skb) + ihl * 4;
 				ports = (__be16 *)xprth;
 
 				fl4->fl4_sport = ports[!!reverse];
@@ -146,7 +152,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
 			    pskb_may_pull(skb, xprth + 2 - skb->data)) {
 				u8 *icmp;
 
-				xprth = skb_network_header(skb) + iph->ihl * 4;
+				xprth = skb_network_header(skb) + ihl * 4;
 				icmp = xprth;
 
 				fl4->fl4_icmp_type = icmp[0];
@@ -159,7 +165,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
 			    pskb_may_pull(skb, xprth + 4 - skb->data)) {
 				__be32 *ehdr;
 
-				xprth = skb_network_header(skb) + iph->ihl * 4;
+				xprth = skb_network_header(skb) + ihl * 4;
 				ehdr = (__be32 *)xprth;
 
 				fl4->fl4_ipsec_spi = ehdr[0];
@@ -171,7 +177,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
 			    pskb_may_pull(skb, xprth + 8 - skb->data)) {
 				__be32 *ah_hdr;
 
-				xprth = skb_network_header(skb) + iph->ihl * 4;
+				xprth = skb_network_header(skb) + ihl * 4;
 				ah_hdr = (__be32 *)xprth;
 
 				fl4->fl4_ipsec_spi = ah_hdr[1];
@@ -183,7 +189,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
 			    pskb_may_pull(skb, xprth + 4 - skb->data)) {
 				__be16 *ipcomp_hdr;
 
-				xprth = skb_network_header(skb) + iph->ihl * 4;
+				xprth = skb_network_header(skb) + ihl * 4;
 				ipcomp_hdr = (__be16 *)xprth;
 
 				fl4->fl4_ipsec_spi = htonl(ntohs(ipcomp_hdr[1]));
@@ -196,7 +202,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
 				__be16 *greflags;
 				__be32 *gre_hdr;
 
-				xprth = skb_network_header(skb) + iph->ihl * 4;
+				xprth = skb_network_header(skb) + ihl * 4;
 				greflags = (__be16 *)xprth;
 				gre_hdr = (__be32 *)xprth;
 
@@ -213,10 +219,6 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
 			break;
 		}
 	}
-	fl4->flowi4_proto = iph->protocol;
-	fl4->daddr = reverse ? iph->saddr : iph->daddr;
-	fl4->saddr = reverse ? iph->daddr : iph->saddr;
-	fl4->flowi4_tos = iph->tos;
 }
 
 static void xfrm4_update_pmtu(struct dst_entry *dst, struct sock *sk,
-- 
2.20.1


  parent reply	other threads:[~2019-05-16 11:49 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-16 11:38 [PATCH AUTOSEL 5.0 01/34] xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink Sasha Levin
2019-05-16 11:38 ` [PATCH AUTOSEL 5.0 02/34] xfrm: Reset secpath in xfrm failure Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 03/34] xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 04/34] vti4: ipip tunnel deregistration fixes Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 05/34] xfrm: clean up xfrm protocol checks Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 06/34] esp4: add length check for UDP encapsulation Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 07/34] xfrm: Honor original L3 slave device in xfrmi policy lookup Sasha Levin
2019-05-16 11:39 ` Sasha Levin [this message]
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 09/34] ARC: PAE40: don't panic and instead turn off hw ioc Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 10/34] clk: sunxi-ng: nkmp: Avoid GENMASK(-1, 0) Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 11/34] KVM: PPC: Book3S HV: Perserve PSSCR FAKE_SUSPEND bit on guest exit Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 12/34] KVM: PPC: Book3S: Protect memslots while validating user address Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 13/34] power: supply: cpcap-battery: Fix division by zero Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 14/34] securityfs: fix use-after-free on symlink traversal Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 15/34] apparmorfs: " Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 16/34] PCI: Fix issue with "pci=disable_acs_redir" parameter being ignored Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 17/34] x86: kvm: hyper-v: deal with buggy TLB flush requests from WS2012 Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 18/34] mac80211: Fix kernel panic due to use of txq after free Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 19/34] net: ieee802154: fix missing checks for regmap_update_bits Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 20/34] KVM: arm/arm64: Ensure vcpu target is unset on reset failure Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 21/34] power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 22/34] tools: bpftool: fix infinite loop in map create Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 23/34] bpf: Fix preempt_enable_no_resched() abuse Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 24/34] qmi_wwan: new Wistron, ZTE and D-Link devices Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 25/34] iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb() Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 26/34] sched/cpufreq: Fix kobject memleak Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 27/34] x86/mm/mem_encrypt: Disable all instrumentation for early SME setup Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 28/34] KVM: fix KVM_CLEAR_DIRTY_LOG for memory slots of unaligned size Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 29/34] KVM: selftests: make hyperv_cpuid test pass on AMD Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 30/34] ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 31/34] i2c: designware: ratelimit 'transfer when suspended' errors Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 32/34] perf bench numa: Add define for RUSAGE_THREAD if not present Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 33/34] perf cs-etm: Always allocate memory for cs_etm_queue::prev_packet Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 34/34] perf/x86/intel: Fix race in intel_pmu_disable_event() Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190516113932.8348-8-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=steffen.klassert@secunet.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).