diff options
author | Irvine | 2017-12-26 08:38:50 +0000 |
---|---|---|
committer | Irvine | 2017-12-26 08:38:50 +0000 |
commit | eab8782a81b9b041bd97a0562ad76af20ba53997 (patch) | |
tree | 0b37f846ad3155dbe592574ae8681c70b70a0bb8 /xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch | |
parent | bc5422ab98ca44bb89a707d89c467211c623bd15 (diff) | |
download | aur-eab8782a81b9b041bd97a0562ad76af20ba53997.tar.gz |
Sync with linux-hardened-4.14.9.-1
Diffstat (limited to 'xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch')
-rw-r--r-- | xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch b/xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch new file mode 100644 index 000000000000..0767c4c5ad80 --- /dev/null +++ b/xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch @@ -0,0 +1,53 @@ +From patchwork Fri Dec 22 09:44:57 2017 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: [4/8] xfrm: Fix stack-out-of-bounds read on socket policy lookup. +X-Patchwork-Submitter: Steffen Klassert <steffen.klassert@secunet.com> +X-Patchwork-Id: 852277 +X-Patchwork-Delegate: davem@davemloft.net +Message-Id: <20171222094501.23345-5-steffen.klassert@secunet.com> +To: David Miller <davem@davemloft.net> +Cc: Herbert Xu <herbert@gondor.apana.org.au>, + Steffen Klassert <steffen.klassert@secunet.com>, <netdev@vger.kernel.org> +Date: Fri, 22 Dec 2017 10:44:57 +0100 +From: Steffen Klassert <steffen.klassert@secunet.com> +List-Id: <netdev.vger.kernel.org> + +When we do tunnel or beet mode, we pass saddr and daddr from the +template to xfrm_state_find(), this is ok. On transport mode, +we pass the addresses from the flowi, assuming that the IP +addresses (and address family) don't change during transformation. +This assumption is wrong in the IPv4 mapped IPv6 case, packet +is IPv4 and template is IPv6. + +Fix this by catching address family missmatches of the policy +and the flow already before we do the lookup. + +Reported-by: syzbot <syzkaller@googlegroups.com> +Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> +--- + net/xfrm/xfrm_policy.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 9542975eb2f9..038ec68f6901 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -1168,9 +1168,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir, + again: + pol = rcu_dereference(sk->sk_policy[dir]); + if (pol != NULL) { +- bool match = xfrm_selector_match(&pol->selector, fl, family); ++ bool match; + int err = 0; + ++ if (pol->family != family) { ++ pol = NULL; ++ goto out; ++ } ++ ++ match = xfrm_selector_match(&pol->selector, fl, family); + if (match) { + if ((sk->sk_mark & pol->mark.m) != pol->mark.v) { + pol = NULL; |