From patchwork Tue Dec 5 14:03:46 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marcelo Henrique Cerri X-Patchwork-Id: 844751 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3yrk4s0qB5z9t8J; Wed, 6 Dec 2017 01:04:13 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1eMDpR-0007S3-4W; Tue, 05 Dec 2017 14:04:09 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1eMDpN-0007R5-M1 for kernel-team@lists.ubuntu.com; Tue, 05 Dec 2017 14:04:05 +0000 Received: from mail-qt0-f199.google.com ([209.85.216.199]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1eMDpN-0008JS-CV for kernel-team@lists.ubuntu.com; Tue, 05 Dec 2017 14:04:05 +0000 Received: by mail-qt0-f199.google.com with SMTP id g49so264788qta.8 for ; Tue, 05 Dec 2017 06:04:05 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=1GO82g+YTlcTEFAT/JGd0znouXXz4MEbSXeyRZ415tU=; b=K2nk2riz9FPfhFYVCsyAmRzLpaWflC2apyoLR1tcGA18ndtFlkhApuTWNT6lJRGzSP 04CZhG8xx6QITP2NcJvgmedzqc7Lq2AoXxXFStlsA7hSmj3gT5Sp/zcBfi0XiX2mrXVe CGj05wXN70uA7h50Z7BwUzPTuNevKCku1YLH3JMFtVAbGUnmGafd2rEN5mBMXMbdXRfM MO1ahGYcBoqnL6hpLbe837o2pA1GDXSLCqQHMH+J0wAzUn9Lqlmgf4alu5E/z2b6QRAW SEcfA+3N4VBMMM51EWOn/aNqd3e58j3pBtBxrtrI8kWOPNMGGmK/GqgMCTAmgo9TlfbS VEDw== X-Gm-Message-State: AKGB3mIV9CwlGcu5twrCXpuGmb0RioDF29EYnU/MRIuGUdbvPDd7ma4y Ng8lme5U+urUOrVQ55OsiWtqeKf1kdNRYCH6j+T6LbzODOSH/P+xQVsVpfIKfD0A+vgyfvrgZ6t eeHovH5KEJ7dsg+sGeAZx92jlVGoiDqJbgtsL+PCq X-Received: by 10.55.50.129 with SMTP id y123mr20927632qky.86.1512482644155; Tue, 05 Dec 2017 06:04:04 -0800 (PST) X-Google-Smtp-Source: AGs4zMah1TrUIvNxENym0SsafoPSU/e1WLpBKdeuqCj6H4Hw7llB+7NtYtDT+8z9OR6YgNYF4u9oqg== X-Received: by 10.55.50.129 with SMTP id y123mr20927624qky.86.1512482643900; Tue, 05 Dec 2017 06:04:03 -0800 (PST) Received: from localhost.localdomain ([177.102.249.247]) by smtp.gmail.com with ESMTPSA id u21sm167202qku.8.2017.12.05.06.04.01 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 05 Dec 2017 06:04:02 -0800 (PST) From: Marcelo Henrique Cerri To: kernel-team@lists.ubuntu.com Subject: [azure][PATCH 1/2] ipsec: Fix aborted xfrm policy dump crash Date: Tue, 5 Dec 2017 12:03:46 -0200 Message-Id: <1512482627-29116-2-git-send-email-marcelo.cerri@canonical.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1512482627-29116-1-git-send-email-marcelo.cerri@canonical.com> References: <1512482627-29116-1-git-send-email-marcelo.cerri@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Herbert Xu An independent security researcher, Mohamed Ghannam, has reported this vulnerability to Beyond Security's SecuriTeam Secure Disclosure program. The xfrm_dump_policy_done function expects xfrm_dump_policy to have been called at least once or it will crash. This can be triggered if a dump fails because the target socket's receive buffer is full. This patch fixes it by using the cb->start mechanism to ensure that the initialisation is always done regardless of the buffer situation. Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list") Signed-off-by: Herbert Xu Signed-off-by: Steffen Klassert CVE-2017-16939 (cherry picked from commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2) Signed-off-by: Marcelo Henrique Cerri Acked-by: Kleber Sacilotto de Souza --- net/xfrm/xfrm_user.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 66698552fbd6..4638446c1c41 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1656,32 +1656,34 @@ static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr static int xfrm_dump_policy_done(struct netlink_callback *cb) { - struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1]; + struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; struct net *net = sock_net(cb->skb->sk); xfrm_policy_walk_done(walk, net); return 0; } +static int xfrm_dump_policy_start(struct netlink_callback *cb) +{ + struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; + + BUILD_BUG_ON(sizeof(*walk) > sizeof(cb->args)); + + xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY); + return 0; +} + static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb) { struct net *net = sock_net(skb->sk); - struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1]; + struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; struct xfrm_dump_info info; - BUILD_BUG_ON(sizeof(struct xfrm_policy_walk) > - sizeof(cb->args) - sizeof(cb->args[0])); - info.in_skb = cb->skb; info.out_skb = skb; info.nlmsg_seq = cb->nlh->nlmsg_seq; info.nlmsg_flags = NLM_F_MULTI; - if (!cb->args[0]) { - cb->args[0] = 1; - xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY); - } - (void) xfrm_policy_walk(net, walk, dump_one_policy, &info); return skb->len; @@ -2416,6 +2418,7 @@ static const struct nla_policy xfrma_spd_policy[XFRMA_SPD_MAX+1] = { static const struct xfrm_link { int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **); + int (*start)(struct netlink_callback *); int (*dump)(struct sk_buff *, struct netlink_callback *); int (*done)(struct netlink_callback *); const struct nla_policy *nla_pol; @@ -2429,6 +2432,7 @@ static const struct xfrm_link { [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy }, [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy, + .start = xfrm_dump_policy_start, .dump = xfrm_dump_policy, .done = xfrm_dump_policy_done }, [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi }, @@ -2480,6 +2484,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) { struct netlink_dump_control c = { + .start = link->start, .dump = link->dump, .done = link->done, };