git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Cong Wang <cong.wang@bytedance.com>
	Sun, 27 Dec 2020 00:50:20 +0000 (16:50 -0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 23 Feb 2021 13:00:29 +0000 (14:00 +0100)
commit	1ca96f32c3c544e7b8e5481ded540be221ace350
tree	854097363ca0b41720695d20dbda93c6f3c84505	tree
parent	a4dfa805d0b641701caceb8680cc2b816c45dd2b	commit \| diff

af_key: relax availability checks for skb size calculation

[ Upstream commit afbc293add6466f8f3f0c3d944d85f53709c170f ]

xfrm_probe_algs() probes kernel crypto modules and changes the
availability of struct xfrm_algo_desc. But there is a small window
where ealg->available and aalg->available get changed between
count_ah_combs()/count_esp_combs() and dump_ah_combs()/dump_esp_combs(),
in this case we may allocate a smaller skb but later put a larger
amount of data and trigger the panic in skb_put().

Fix this by relaxing the checks when counting the size, that is,
skipping the test of ->available. We may waste some memory for a few
of sizeof(struct sadb_comb), but it is still much better than a panic.

Reported-by: syzbot+b2bf2652983d23734c5c@syzkaller.appspotmail.com
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>