2018-01-05 23:24:00 +01:00
|
|
|
From 5a11be3bab2dcd6fe061206662969c4cea46988f Mon Sep 17 00:00:00 2001
|
|
|
|
Message-Id: <5a11be3bab2dcd6fe061206662969c4cea46988f.1515173964.git.jan.steffens@gmail.com>
|
|
|
|
In-Reply-To: <0b716bdb952b678d9bb5eb32198dbc82ec492df2.1515173964.git.jan.steffens@gmail.com>
|
|
|
|
References: <0b716bdb952b678d9bb5eb32198dbc82ec492df2.1515173964.git.jan.steffens@gmail.com>
|
2017-12-26 01:24:55 +01:00
|
|
|
From: Steffen Klassert <steffen.klassert@secunet.com>
|
|
|
|
Date: Fri, 22 Dec 2017 10:44:57 +0100
|
2018-01-05 23:24:00 +01:00
|
|
|
Subject: [PATCH 4/6] xfrm: Fix stack-out-of-bounds read on socket policy
|
2017-12-26 01:24:55 +01:00
|
|
|
lookup.
|
|
|
|
|
|
|
|
When we do tunnel or beet mode, we pass saddr and daddr from the
|
|
|
|
template to xfrm_state_find(), this is ok. On transport mode,
|
|
|
|
we pass the addresses from the flowi, assuming that the IP
|
|
|
|
addresses (and address family) don't change during transformation.
|
|
|
|
This assumption is wrong in the IPv4 mapped IPv6 case, packet
|
|
|
|
is IPv4 and template is IPv6.
|
|
|
|
|
|
|
|
Fix this by catching address family missmatches of the policy
|
|
|
|
and the flow already before we do the lookup.
|
|
|
|
|
|
|
|
Reported-by: syzbot <syzkaller@googlegroups.com>
|
|
|
|
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
|
|
|
---
|
|
|
|
net/xfrm/xfrm_policy.c | 8 +++++++-
|
|
|
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
|
|
|
|
|
|
|
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
|
2018-01-03 08:21:25 +01:00
|
|
|
index 6bc16bb61b5533ef..50c5f46b5cca942e 100644
|
2017-12-26 01:24:55 +01:00
|
|
|
--- a/net/xfrm/xfrm_policy.c
|
|
|
|
+++ b/net/xfrm/xfrm_policy.c
|
|
|
|
@@ -1169,9 +1169,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
|
|
|
|
again:
|
|
|
|
pol = rcu_dereference(sk->sk_policy[dir]);
|
|
|
|
if (pol != NULL) {
|
|
|
|
- bool match = xfrm_selector_match(&pol->selector, fl, family);
|
|
|
|
+ bool match;
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
+ if (pol->family != family) {
|
|
|
|
+ pol = NULL;
|
|
|
|
+ goto out;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ match = xfrm_selector_match(&pol->selector, fl, family);
|
|
|
|
if (match) {
|
|
|
|
if ((sk->sk_mark & pol->mark.m) != pol->mark.v) {
|
|
|
|
pol = NULL;
|
|
|
|
--
|
|
|
|
2.15.1
|
|
|
|
|