Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-02-15 10:23:48 +0100
committerJiri Slaby <jslaby@suse.cz>2019-02-15 10:24:16 +0100
commit7a25d425a420b54f2fceb70db7547808b652423c (patch)
treee3cb7b457a0826a75cf24c32f9998b0b43bfa282
parent17417cca092024db5bcc098b54625c0ba75b1115 (diff)
xfrm: refine validation of template and selector families
-rw-r--r--patches.kernel.org/4.20.9-048-xfrm-refine-validation-of-template-and-selecto.patch69
-rw-r--r--series.conf1
2 files changed, 70 insertions, 0 deletions
diff --git a/patches.kernel.org/4.20.9-048-xfrm-refine-validation-of-template-and-selecto.patch b/patches.kernel.org/4.20.9-048-xfrm-refine-validation-of-template-and-selecto.patch
new file mode 100644
index 0000000000..81d132333a
--- /dev/null
+++ b/patches.kernel.org/4.20.9-048-xfrm-refine-validation-of-template-and-selecto.patch
@@ -0,0 +1,69 @@
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 9 Jan 2019 14:37:34 +0100
+Subject: [PATCH] xfrm: refine validation of template and selector families
+References: bnc#1012628
+Patch-mainline: 4.20.9
+Git-commit: 35e6103861a3a970de6c84688c6e7a1f65b164ca
+
+commit 35e6103861a3a970de6c84688c6e7a1f65b164ca upstream.
+
+The check assumes that in transport mode, the first templates family
+must match the address family of the policy selector.
+
+Syzkaller managed to build a template using MODE_ROUTEOPTIMIZATION,
+with ipv4-in-ipv6 chain, leading to following splat:
+
+BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x1db/0x1854
+Read of size 4 at addr ffff888063e57aa0 by task a.out/2050
+ xfrm_state_find+0x1db/0x1854
+ xfrm_tmpl_resolve+0x100/0x1d0
+ xfrm_resolve_and_create_bundle+0x108/0x1000 [..]
+
+Problem is that addresses point into flowi4 struct, but xfrm_state_find
+treats them as being ipv6 because it uses templ->encap_family is used
+(AF_INET6 in case of reproducer) rather than family (AF_INET).
+
+This patch inverts the logic: Enforce 'template family must match
+selector' EXCEPT for tunnel and BEET mode.
+
+In BEET and Tunnel mode, xfrm_tmpl_resolve_one will have remote/local
+address pointers changed to point at the addresses found in the template,
+rather than the flowi ones, so no oob read will occur.
+
+Reported-by: 3ntr0py1337@gmail.com
+Reported-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/xfrm/xfrm_user.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 277c1c46fe94..c6d26afcf89d 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1488,10 +1488,15 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
+ if (!ut[i].family)
+ ut[i].family = family;
+
+- if ((ut[i].mode == XFRM_MODE_TRANSPORT) &&
+- (ut[i].family != prev_family))
+- return -EINVAL;
+-
++ switch (ut[i].mode) {
++ case XFRM_MODE_TUNNEL:
++ case XFRM_MODE_BEET:
++ break;
++ default:
++ if (ut[i].family != prev_family)
++ return -EINVAL;
++ break;
++ }
+ if (ut[i].mode >= XFRM_MODE_MAX)
+ return -EINVAL;
+
+--
+2.20.1
+
diff --git a/series.conf b/series.conf
index d1432e43fd..8aaa420f6e 100644
--- a/series.conf
+++ b/series.conf
@@ -1130,6 +1130,7 @@
patches.kernel.org/4.20.9-045-drm-i915-Try-to-sanitize-bogus-DPLL-state-left.patch
patches.kernel.org/4.20.9-046-Revert-ext4-use-ext4_write_inode-when-fsyncing.patch
patches.kernel.org/4.20.9-047-libceph-avoid-KEEPALIVE_PENDING-races-in-ceph_.patch
+ patches.kernel.org/4.20.9-048-xfrm-refine-validation-of-template-and-selecto.patch
########################################################
# Build fixes that apply to the vanilla kernel too.