Message ID | afee25abdf818c7a7374773a6f347cf5c719038e.1581254129.git.lucien.xin@gmail.com |
---|---|
State | Awaiting Upstream |
Delegated to: | David Miller |
Headers | show |
Series | [ipsec] xfrm: fix uctx len check in verify_sec_ctx_len | expand |
On Sun, Feb 09, 2020 at 09:15:29PM +0800, Xin Long wrote: > It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) + > uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt), > in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str > later. > > This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt). > > Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.") > Signed-off-by: Xin Long <lucien.xin@gmail.com> Applied, thanks!
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index b88ba45..38ff02d 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -110,7 +110,8 @@ static inline int verify_sec_ctx_len(struct nlattr **attrs) return 0; uctx = nla_data(rt); - if (uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)) + if (uctx->len > nla_len(rt) || + uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)) return -EINVAL; return 0;
It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt), in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str later. This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt). Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.") Signed-off-by: Xin Long <lucien.xin@gmail.com> --- net/xfrm/xfrm_user.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)