| From 88629fdeab9704e2a0278ae639261aa6eba450dc Mon Sep 17 00:00:00 2001 |
| From: Sean Tranchetti <stranche@codeaurora.org> |
| Date: Wed, 19 Sep 2018 13:54:56 -0600 |
| Subject: xfrm: validate template mode |
| |
| [ Upstream commit 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa ] |
| |
| XFRM mode parameters passed as part of the user templates |
| in the IP_XFRM_POLICY are never properly validated. Passing |
| values other than valid XFRM modes can cause stack-out-of-bounds |
| reads to occur later in the XFRM processing: |
| |
| [ 140.535608] ================================================================ |
| [ 140.543058] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x17e4/0x1cc4 |
| [ 140.550306] Read of size 4 at addr ffffffc0238a7a58 by task repro/5148 |
| [ 140.557369] |
| [ 140.558927] Call trace: |
| [ 140.558936] dump_backtrace+0x0/0x388 |
| [ 140.558940] show_stack+0x24/0x30 |
| [ 140.558946] __dump_stack+0x24/0x2c |
| [ 140.558949] dump_stack+0x8c/0xd0 |
| [ 140.558956] print_address_description+0x74/0x234 |
| [ 140.558960] kasan_report+0x240/0x264 |
| [ 140.558963] __asan_report_load4_noabort+0x2c/0x38 |
| [ 140.558967] xfrm_state_find+0x17e4/0x1cc4 |
| [ 140.558971] xfrm_resolve_and_create_bundle+0x40c/0x1fb8 |
| [ 140.558975] xfrm_lookup+0x238/0x1444 |
| [ 140.558977] xfrm_lookup_route+0x48/0x11c |
| [ 140.558984] ip_route_output_flow+0x88/0xc4 |
| [ 140.558991] raw_sendmsg+0xa74/0x266c |
| [ 140.558996] inet_sendmsg+0x258/0x3b0 |
| [ 140.559002] sock_sendmsg+0xbc/0xec |
| [ 140.559005] SyS_sendto+0x3a8/0x5a8 |
| [ 140.559008] el0_svc_naked+0x34/0x38 |
| [ 140.559009] |
| [ 140.592245] page dumped because: kasan: bad access detected |
| [ 140.597981] page_owner info is not active (free page?) |
| [ 140.603267] |
| [ 140.653503] ================================================================ |
| |
| Signed-off-by: Sean Tranchetti <stranche@codeaurora.org> |
| Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| net/xfrm/xfrm_user.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c |
| index b7ac834a6091..026770884d46 100644 |
| --- a/net/xfrm/xfrm_user.c |
| +++ b/net/xfrm/xfrm_user.c |
| @@ -1412,6 +1412,9 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) |
| (ut[i].family != prev_family)) |
| return -EINVAL; |
| |
| + if (ut[i].mode >= XFRM_MODE_MAX) |
| + return -EINVAL; |
| + |
| prev_family = ut[i].family; |
| |
| switch (ut[i].family) { |
| -- |
| 2.17.1 |
| |