diff options
| author | Tony Lambiris | 2017-12-26 12:58:10 -0500 |
|---|---|---|
| committer | Tony Lambiris | 2017-12-26 12:58:10 -0500 |
| commit | 25f4684cd588033e2ff25444221d8ad6ec77277f (patch) | |
| tree | 659ee3dbd7b7684c1b76cdda2481e93d409cb580 /0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch | |
| parent | 0a2aa9683827726495bcbca4cb1f01c659d71fb6 (diff) | |
| download | aur-25f4684cd588033e2ff25444221d8ad6ec77277f.tar.gz | |
Version bump, sync with upstream
Diffstat (limited to '0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch')
| -rw-r--r-- | 0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch b/0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch new file mode 100644 index 000000000000..ad4614492736 --- /dev/null +++ b/0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch @@ -0,0 +1,49 @@ +From 1c3a5e72b70bcfaf342075a3fa5fcbdf99302a3f Mon Sep 17 00:00:00 2001 +Message-Id: <1c3a5e72b70bcfaf342075a3fa5fcbdf99302a3f.1514245012.git.jan.steffens@gmail.com> +In-Reply-To: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com> +References: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com> +From: Steffen Klassert <steffen.klassert@secunet.com> +Date: Fri, 22 Dec 2017 10:44:57 +0100 +Subject: [PATCH 2/3] xfrm: Fix stack-out-of-bounds read on socket policy + lookup. + +When we do tunnel or beet mode, we pass saddr and daddr from the +template to xfrm_state_find(), this is ok. On transport mode, +we pass the addresses from the flowi, assuming that the IP +addresses (and address family) don't change during transformation. +This assumption is wrong in the IPv4 mapped IPv6 case, packet +is IPv4 and template is IPv6. + +Fix this by catching address family missmatches of the policy +and the flow already before we do the lookup. + +Reported-by: syzbot <syzkaller@googlegroups.com> +Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> +--- + net/xfrm/xfrm_policy.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index a2e531bf4f976308..c79ed3bed5d4dc2f 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -1169,9 +1169,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir, + again: + pol = rcu_dereference(sk->sk_policy[dir]); + if (pol != NULL) { +- bool match = xfrm_selector_match(&pol->selector, fl, family); ++ bool match; + int err = 0; + ++ if (pol->family != family) { ++ pol = NULL; ++ goto out; ++ } ++ ++ match = xfrm_selector_match(&pol->selector, fl, family); + if (match) { + if ((sk->sk_mark & pol->mark.m) != pol->mark.v) { + pol = NULL; +-- +2.15.1 + |