3.18-stable patches

added patches:
	xfrm_user-uncoditionally-validate-esn-replay-attribute-struct.patch

diff --git a/queue-3.18/series b/queue-3.18/series
index f36cf739212b6215f1aad215caa23e60e4968092..bb7e595e010e2b23a222e4072f229d0f47c51ccb 100644 (file)
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -47,3 +47,4 @@ usb-gadget-f_hid-fix-prevent-accessing-released-memory.patch
 revert-led-core-fix-brightness-setting-when-setting-delay_off-0.patch
 xhci-fix-ring-leak-in-failure-path-of-xhci_alloc_virt_device.patch
 kprobes-x86-fix-to-set-rwx-bits-correctly-before-releasing-trampoline.patch
+xfrm_user-uncoditionally-validate-esn-replay-attribute-struct.patch

diff --git a/queue-3.18/xfrm_user-uncoditionally-validate-esn-replay-attribute-struct.patch b/queue-3.18/xfrm_user-uncoditionally-validate-esn-replay-attribute-struct.patch
new file mode 100644 (file)
index 0000000..d69e528
--- /dev/null
+++ b/queue-3.18/xfrm_user-uncoditionally-validate-esn-replay-attribute-struct.patch
@@ -0,0 +1,61 @@
+From d97ca5d714a5334aecadadf696875da40f1fbf3e Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 12 Feb 2018 14:42:01 +0100
+Subject: xfrm_user: uncoditionally validate esn replay attribute struct
+
+From: Florian Westphal <fw@strlen.de>
+
+commit d97ca5d714a5334aecadadf696875da40f1fbf3e upstream.
+
+The sanity test added in ecd7918745234 can be bypassed, validation
+only occurs if XFRM_STATE_ESN flag is set, but rest of code doesn't care
+and just checks if the attribute itself is present.
+
+So always validate.  Alternative is to reject if we have the attribute
+without the flag but that would change abi.
+
+Reported-by: syzbot+0ab777c27d2bb7588f73@syzkaller.appspotmail.com
+Cc: Mathias Krause <minipli@googlemail.com>
+Fixes: ecd7918745234 ("xfrm_user: ensure user supplied esn replay window is valid")
+Fixes: d8647b79c3b7e ("xfrm: Add user interface for esn and big anti-replay windows")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_user.c |   21 ++++++++-------------
+ 1 file changed, 8 insertions(+), 13 deletions(-)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -120,22 +120,17 @@ static inline int verify_replay(struct x
+       struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL];
+       struct xfrm_replay_state_esn *rs;
+ 
+-      if (p->flags & XFRM_STATE_ESN) {
+-              if (!rt)
+-                      return -EINVAL;
+-
+-              rs = nla_data(rt);
++      if (!rt)
++              return (p->flags & XFRM_STATE_ESN) ? -EINVAL : 0;
+ 
+-              if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
+-                      return -EINVAL;
++      rs = nla_data(rt);
+ 
+-              if (nla_len(rt) < xfrm_replay_state_esn_len(rs) &&
+-                  nla_len(rt) != sizeof(*rs))
+-                      return -EINVAL;
+-      }
++      if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
++              return -EINVAL;
+ 
+-      if (!rt)
+-              return 0;
++      if (nla_len(rt) < xfrm_replay_state_esn_len(rs) &&
++          nla_len(rt) != sizeof(*rs))
++              return -EINVAL;
+ 
+       /* As only ESP and AH support ESN feature. */
+       if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH))