From: Greg Kroah-Hartman Date: Tue, 3 Apr 2018 15:49:43 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.103~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8a69aceae1dfc02d482b0eba997150d6a8f22ceb;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: xfrm_user-uncoditionally-validate-esn-replay-attribute-struct.patch --- diff --git a/queue-3.18/series b/queue-3.18/series index f36cf739212..bb7e595e010 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -47,3 +47,4 @@ usb-gadget-f_hid-fix-prevent-accessing-released-memory.patch revert-led-core-fix-brightness-setting-when-setting-delay_off-0.patch xhci-fix-ring-leak-in-failure-path-of-xhci_alloc_virt_device.patch kprobes-x86-fix-to-set-rwx-bits-correctly-before-releasing-trampoline.patch +xfrm_user-uncoditionally-validate-esn-replay-attribute-struct.patch diff --git a/queue-3.18/xfrm_user-uncoditionally-validate-esn-replay-attribute-struct.patch b/queue-3.18/xfrm_user-uncoditionally-validate-esn-replay-attribute-struct.patch new file mode 100644 index 00000000000..d69e52837bd --- /dev/null +++ b/queue-3.18/xfrm_user-uncoditionally-validate-esn-replay-attribute-struct.patch @@ -0,0 +1,61 @@ +From d97ca5d714a5334aecadadf696875da40f1fbf3e Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 12 Feb 2018 14:42:01 +0100 +Subject: xfrm_user: uncoditionally validate esn replay attribute struct + +From: Florian Westphal + +commit d97ca5d714a5334aecadadf696875da40f1fbf3e upstream. + +The sanity test added in ecd7918745234 can be bypassed, validation +only occurs if XFRM_STATE_ESN flag is set, but rest of code doesn't care +and just checks if the attribute itself is present. + +So always validate. Alternative is to reject if we have the attribute +without the flag but that would change abi. + +Reported-by: syzbot+0ab777c27d2bb7588f73@syzkaller.appspotmail.com +Cc: Mathias Krause +Fixes: ecd7918745234 ("xfrm_user: ensure user supplied esn replay window is valid") +Fixes: d8647b79c3b7e ("xfrm: Add user interface for esn and big anti-replay windows") +Signed-off-by: Florian Westphal +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_user.c | 21 ++++++++------------- + 1 file changed, 8 insertions(+), 13 deletions(-) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -120,22 +120,17 @@ static inline int verify_replay(struct x + struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL]; + struct xfrm_replay_state_esn *rs; + +- if (p->flags & XFRM_STATE_ESN) { +- if (!rt) +- return -EINVAL; +- +- rs = nla_data(rt); ++ if (!rt) ++ return (p->flags & XFRM_STATE_ESN) ? -EINVAL : 0; + +- if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) +- return -EINVAL; ++ rs = nla_data(rt); + +- if (nla_len(rt) < xfrm_replay_state_esn_len(rs) && +- nla_len(rt) != sizeof(*rs)) +- return -EINVAL; +- } ++ if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) ++ return -EINVAL; + +- if (!rt) +- return 0; ++ if (nla_len(rt) < xfrm_replay_state_esn_len(rs) && ++ nla_len(rt) != sizeof(*rs)) ++ return -EINVAL; + + /* As only ESP and AH support ESN feature. */ + if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH))