From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 24 Sep 2020 14:08:49 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v4.19.148~24
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=18cd8f400537d2fc5c6dfdaad527ff9f76e37bc8;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	af_key-pfkey_dump-needs-parameter-validation.patch
---

diff --git a/queue-4.14/af_key-pfkey_dump-needs-parameter-validation.patch b/queue-4.14/af_key-pfkey_dump-needs-parameter-validation.patch
new file mode 100644
index 00000000000..9861cc610ea
--- /dev/null
+++ b/queue-4.14/af_key-pfkey_dump-needs-parameter-validation.patch
@@ -0,0 +1,46 @@
+From 37bd22420f856fcd976989f1d4f1f7ad28e1fcac Mon Sep 17 00:00:00 2001
+From: Mark Salyzyn <salyzyn@android.com>
+Date: Wed, 22 Jul 2020 04:00:53 -0700
+Subject: af_key: pfkey_dump needs parameter validation
+
+From: Mark Salyzyn <salyzyn@android.com>
+
+commit 37bd22420f856fcd976989f1d4f1f7ad28e1fcac upstream.
+
+In pfkey_dump() dplen and splen can both be specified to access the
+xfrm_address_t structure out of bounds in__xfrm_state_filter_match()
+when it calls addr_match() with the indexes.  Return EINVAL if either
+are out of range.
+
+Signed-off-by: Mark Salyzyn <salyzyn@android.com>
+Cc: netdev@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: kernel-team@android.com
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/key/af_key.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -1855,6 +1855,13 @@ static int pfkey_dump(struct sock *sk, s
+ 	if (ext_hdrs[SADB_X_EXT_FILTER - 1]) {
+ 		struct sadb_x_filter *xfilter = ext_hdrs[SADB_X_EXT_FILTER - 1];
+ 
++		if ((xfilter->sadb_x_filter_splen >=
++			(sizeof(xfrm_address_t) << 3)) ||
++		    (xfilter->sadb_x_filter_dplen >=
++			(sizeof(xfrm_address_t) << 3))) {
++			mutex_unlock(&pfk->dump_lock);
++			return -EINVAL;
++		}
+ 		filter = kmalloc(sizeof(*filter), GFP_KERNEL);
+ 		if (filter == NULL) {
+ 			mutex_unlock(&pfk->dump_lock);