| From foo@baz Mon Apr 9 17:09:24 CEST 2018 |
| From: Steffen Klassert <steffen.klassert@secunet.com> |
| Date: Fri, 5 May 2017 07:40:42 +0200 |
| Subject: af_key: Fix slab-out-of-bounds in pfkey_compile_policy. |
| |
| From: Steffen Klassert <steffen.klassert@secunet.com> |
| |
| |
| [ Upstream commit d90c902449a7561f1b1d58ba5a0d11728ce8b0b2 ] |
| |
| The sadb_x_sec_len is stored in the unit 'byte divided by eight'. |
| So we have to multiply this value by eight before we can do |
| size checks. Otherwise we may get a slab-out-of-bounds when |
| we memcpy the user sec_ctx. |
| |
| Fixes: df71837d502 ("[LSM-IPSec]: Security association restriction.") |
| Reported-by: Andrey Konovalov <andreyknvl@google.com> |
| Tested-by: Andrey Konovalov <andreyknvl@google.com> |
| Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> |
| Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/key/af_key.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/net/key/af_key.c |
| +++ b/net/key/af_key.c |
| @@ -3305,7 +3305,7 @@ static struct xfrm_policy *pfkey_compile |
| p += pol->sadb_x_policy_len*8; |
| sec_ctx = (struct sadb_x_sec_ctx *)p; |
| if (len < pol->sadb_x_policy_len*8 + |
| - sec_ctx->sadb_x_sec_len) { |
| + sec_ctx->sadb_x_sec_len*8) { |
| *dir = -EINVAL; |
| goto out; |
| } |