1. 10 Nov, 2018 2 commits
    • Sean Tranchetti's avatar
      xfrm: validate template mode · 5217bec5
      Sean Tranchetti authored
      [ Upstream commit 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa ]
      XFRM mode parameters passed as part of the user templates
      in the IP_XFRM_POLICY are never properly validated. Passing
      values other than valid XFRM modes can cause stack-out-of-bounds
      reads to occur later in the XFRM processing:
      [  140.535608] ================================================================
      [  140.543058] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x17e4/0x1cc4
      [  140.550306] Read of size 4 at addr ffffffc0238a7a58 by task repro/5148
      [  140.557369]
      [  140.558927] Call trace:
      [  140.558936] dump_backtrace+0x0/0x388
      [  140.558940] show_stack+0x24/0x30
      [  140.558946] __dump_stack+0x24/0x2c
      [  140.558949] dump_stack+0x8c/0xd0
      [  140.558956] print_address_description+0x74/0x234
      [  140.558960] kasan_report+0x240/0x264
      [  140.558963] __asan_report_load4_noabort+0x2c/0x38
      [  140.558967] xfrm_state_find+0x17e4/0x1cc4
      [  140.558971] xfrm_resolve_and_create_bundle+0x40c/0x1fb8
      [  140.558975] xfrm_lookup+0x238/0x1444
      [  140.558977] xfrm_lookup_route+0x48/0x11c
      [  140.558984] ip_route_output_flow+0x88/0xc4
      [  140.558991] raw_sendmsg+0xa74/0x266c
      [  140.558996] inet_sendmsg+0x258/0x3b0
      [  140.559002] sock_sendmsg+0xbc/0xec
      [  140.559005] SyS_sendto+0x3a8/0x5a8
      [  140.559008] el0_svc_naked+0x34/0x38
      [  140.559009]
      [  140.592245] page dumped because: kasan: bad access detected
      [  140.597981] page_owner info is not active (free page?)
      [  140.603267]
      [  140.653503] ================================================================
      Signed-off-by: default avatarSean Tranchetti <stranche@codeaurora.org>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    • Steffen Klassert's avatar
      xfrm: Validate address prefix lengths in the xfrm selector. · 5ce93bd4
      Steffen Klassert authored
      [ Upstream commit 07bf7908950a8b14e81aa1807e3c667eab39287a ]
      We don't validate the address prefix lengths in the xfrm
      selector we got from userspace. This can lead to undefined
      behaviour in the address matching functions if the prefix
      is too big for the given address family. Fix this by checking
      the prefixes and refuse SA/policy insertation when a prefix
      is invalid.
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: default avatarAir Icy <icytxw@gmail.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
  2. 05 Sep, 2018 1 commit
  3. 24 Aug, 2018 1 commit
    • Eric Dumazet's avatar
      xfrm_user: prevent leaking 2 bytes of kernel memory · 3e6170d0
      Eric Dumazet authored
      commit 45c180bc29babbedd6b8c01b975780ef44d9d09c upstream.
      struct xfrm_userpolicy_type has two holes, so we should not
      use C99 style initializer.
      KMSAN report:
      BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline]
      BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
      CPU: 1 PID: 4520 Comm: syz-executor841 Not tainted 4.17.0+ #5
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:113
       kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
       kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1211
       kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
       copyout lib/iov_iter.c:140 [inline]
       _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
       copy_to_iter include/linux/uio.h:106 [inline]
       skb_copy_datagram_iter+0x422/0xfa0 net/core/datagram.c:431
       skb_copy_datagram_msg include/linux/skbuff.h:3268 [inline]
       netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1959
       sock_recvmsg_nosec net/socket.c:802 [inline]
       sock_recvmsg+0x1d6/0x230 net/socket.c:809
       ___sys_recvmsg+0x3fe/0x810 net/socket.c:2279
       __sys_recvmmsg+0x58e/0xe30 net/socket.c:2391
       do_sys_recvmmsg+0x2a6/0x3e0 net/socket.c:2472
       __do_sys_recvmmsg net/socket.c:2485 [inline]
       __se_sys_recvmmsg net/socket.c:2481 [inline]
       __x64_sys_recvmmsg+0x15d/0x1c0 net/socket.c:2481
       do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
      RIP: 0033:0x446ce9
      RSP: 002b:00007fc307918db8 EFLAGS: 00000293 ORIG_RAX: 000000000000012b
      RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446ce9
      RDX: 000000000000000a RSI: 0000000020005040 RDI: 0000000000000003
      RBP: 00000000006dbc20 R08: 0000000020004e40 R09: 0000000000000000
      R10: 0000000040000000 R11: 0000000000000293 R12: 0000000000000000
      R13: 00007ffc8d2df32f R14: 00007fc3079199c0 R15: 0000000000000001
      Uninit was stored to memory at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
       kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
       kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
       kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
       __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:413
       __nla_put lib/nlattr.c:569 [inline]
       nla_put+0x276/0x340 lib/nlattr.c:627
       copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline]
       dump_one_policy+0xbe1/0x1090 net/xfrm/xfrm_user.c:1708
       xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
       xfrm_dump_policy+0x1c0/0x2a0 net/xfrm/xfrm_user.c:1749
       netlink_dump+0x9b5/0x1550 net/netlink/af_netlink.c:2226
       __netlink_dump_start+0x1131/0x1270 net/netlink/af_netlink.c:2323
       netlink_dump_start include/linux/netlink.h:214 [inline]
       xfrm_user_rcv_msg+0x8a3/0x9b0 net/xfrm/xfrm_user.c:2577
       netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
       xfrm_netlink_rcv+0xb2/0xf0 net/xfrm/xfrm_user.c:2598
       netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
       netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
       netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
       sock_sendmsg_nosec net/socket.c:629 [inline]
       sock_sendmsg net/socket.c:639 [inline]
       ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
       __sys_sendmsg net/socket.c:2155 [inline]
       __do_sys_sendmsg net/socket.c:2164 [inline]
       __se_sys_sendmsg net/socket.c:2162 [inline]
       __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
       do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
      Local variable description: ----upt.i@dump_one_policy
      Variable was created at:
       dump_one_policy+0x78/0x1090 net/xfrm/xfrm_user.c:1689
       xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
      Byte 130 of 137 is uninitialized
      Memory access starts at ffff88019550407f
      Fixes: c0144bea ("[XFRM] netlink: Use nla_put()/NLA_PUT() variantes")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
  4. 16 May, 2018 1 commit
  5. 08 Apr, 2018 1 commit
  6. 25 Feb, 2018 2 commits
  7. 05 Dec, 2017 1 commit
  8. 31 Mar, 2017 2 commits
  9. 23 Oct, 2015 1 commit
  10. 29 Sep, 2015 1 commit
  11. 11 Aug, 2015 1 commit
  12. 21 Jul, 2015 1 commit
  13. 28 May, 2015 1 commit
  14. 03 Mar, 2015 1 commit
  15. 18 Jan, 2015 1 commit
    • Johannes Berg's avatar
      netlink: make nlmsg_end() and genlmsg_end() void · 053c095a
      Johannes Berg authored
      Contrary to common expectations for an "int" return, these functions
      return only a positive value -- if used correctly they cannot even
      return 0 because the message header will necessarily be in the skb.
      This makes the very common pattern of
        if (genlmsg_end(...) < 0) { ... }
      be a whole bunch of dead code. Many places also simply do
        return nlmsg_end(...);
      and the caller is expected to deal with it.
      This also commonly (at least for me) causes errors, because it is very
      common to write
        if (my_function(...))
          /* error condition */
      and if my_function() does "return nlmsg_end()" this is of course wrong.
      Additionally, there's not a single place in the kernel that actually
      needs the message length returned, and if anyone needs it later then
      it'll be very easy to just use skb->len there.
      Remove this, and make the functions void. This removes a bunch of dead
      code as described above. The patch adds lines because I did
      -	return nlmsg_end(...);
      +	nlmsg_end(...);
      +	return 0;
      I could have preserved all the function's return values by returning
      skb->len, but instead I've audited all the places calling the affected
      functions and found that none cared. A few places actually compared
      the return value with <= 0 in dump functionality, but that could just
      be changed to < 0 with no change in behaviour, so I opted for the more
      efficient version.
      One instance of the error I've made numerous times now is also present
      in net/phonet/pn_netlink.c in the route_dumpit() function - it didn't
      check for <0 or <=0 and thus broke out of the loop every single time.
      I've preserved this since it will (I think) have caused the messages to
      userspace to be formatted differently with just a single message for
      every SKB returned to userspace. It's possible that this isn't needed
      for the tools that actually use this, but I don't even know what they
      are so couldn't test that changing this behaviour would be acceptable.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  16. 03 Nov, 2014 1 commit
  17. 18 Sep, 2014 1 commit
    • Herbert Xu's avatar
      ipsec: Remove obsolete MAX_AH_AUTH_LEN · 689f1c9d
      Herbert Xu authored
      While tracking down the MAX_AH_AUTH_LEN crash in an old kernel
      I thought that this limit was rather arbitrary and we should
      just get rid of it.
      In fact it seems that we've already done all the work needed
      to remove it apart from actually removing it.  This limit was
      there in order to limit stack usage.  Since we've already
      switched over to allocating scratch space using kmalloc, there
      is no longer any need to limit the authentication length.
      This patch kills all references to it, including the BUG_ONs
      that led me here.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
  18. 02 Sep, 2014 1 commit
    • Christophe Gouault's avatar
      xfrm: configure policy hash table thresholds by netlink · 880a6fab
      Christophe Gouault authored
      Enable to specify local and remote prefix length thresholds for the
      policy hash table via a netlink XFRM_MSG_NEWSPDINFO message.
      prefix length thresholds are specified by XFRMA_SPD_IPV4_HTHRESH and
      XFRMA_SPD_IPV6_HTHRESH optional attributes (struct xfrmu_spdhthresh).
          struct xfrmu_spdhthresh thresh4 = {
              .lbits = 0;
              .rbits = 24;
          struct xfrmu_spdhthresh thresh6 = {
              .lbits = 0;
              .rbits = 56;
          struct nlmsghdr *hdr;
          struct nl_msg *msg;
          msg = nlmsg_alloc();
          hdr = nlmsg_put(msg, NL_AUTO_PORT, NL_AUTO_SEQ, XFRMA_SPD_IPV4_HTHRESH, sizeof(__u32), NLM_F_REQUEST);
          nla_put(msg, XFRMA_SPD_IPV4_HTHRESH, sizeof(thresh4), &thresh4);
          nla_put(msg, XFRMA_SPD_IPV6_HTHRESH, sizeof(thresh6), &thresh6);
          nla_send_auto(sk, msg);
      The numbers are the policy selector minimum prefix lengths to put a
      policy in the hash table.
      - lbits is the local threshold (source address for out policies,
        destination address for in and fwd policies).
      - rbits is the remote threshold (destination address for out
        policies, source address for in and fwd policies).
      The default values are:
      XFRMA_SPD_IPV6_HTHRESH: 128 128
      Dynamic re-building of the SPD is performed when the thresholds values
      are changed.
      The current thresholds can be read via a XFRM_MSG_GETSPDINFO request:
      the kernel replies to XFRM_MSG_GETSPDINFO requests by an
      XFRM_MSG_NEWSPDINFO message, with both attributes
      Signed-off-by: default avatarChristophe Gouault <christophe.gouault@6wind.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
  19. 30 Jun, 2014 1 commit
  20. 03 Jun, 2014 1 commit
    • Michal Kubecek's avatar
      xfrm: fix race between netns cleanup and state expire notification · 21ee543e
      Michal Kubecek authored
      The xfrm_user module registers its pernet init/exit after xfrm
      itself so that its net exit function xfrm_user_net_exit() is
      executed before xfrm_net_exit() which calls xfrm_state_fini() to
      cleanup the SA's (xfrm states). This opens a window between
      zeroing net->xfrm.nlsk pointer and deleting all xfrm_state
      instances which may access it (via the timer). If an xfrm state
      expires in this window, xfrm_exp_state_notify() will pass null
      pointer as socket to nlmsg_multicast().
      As the notifications are called inside rcu_read_lock() block, it
      is sufficient to retrieve the nlsk socket with rcu_dereference()
      and check the it for null.
      Signed-off-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  21. 24 Apr, 2014 1 commit
  22. 23 Apr, 2014 1 commit
  23. 22 Apr, 2014 1 commit
    • Tetsuo Handa's avatar
      xfrm: Remove useless secid field from xfrm_audit. · f1370cc4
      Tetsuo Handa authored
      It seems to me that commit ab5f5e8b "[XFRM]: xfrm audit calls" is doing
      something strange at xfrm_audit_helper_usrinfo().
      If secid != 0 && security_secid_to_secctx(secid) != 0, the caller calls
      audit_log_task_context() which basically does
      secid != 0 && security_secid_to_secctx(secid) == 0 case
      except that secid is obtained from current thread's context.
      Oh, what happens if secid passed to xfrm_audit_helper_usrinfo() was
      obtained from other thread's context? It might audit current thread's
      context rather than other thread's context if security_secid_to_secctx()
      in xfrm_audit_helper_usrinfo() failed for some reason.
      Then, are all the caller of xfrm_audit_helper_usrinfo() passing either
      secid obtained from current thread's context or secid == 0?
      It seems to me that they are.
      If I didn't miss something, we don't need to pass secid to
      xfrm_audit_helper_usrinfo() because audit_log_task_context() will
      obtain secid from current thread's context.
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
  24. 10 Mar, 2014 1 commit
    • Nikolay Aleksandrov's avatar
      selinux: add gfp argument to security_xfrm_policy_alloc and fix callers · 52a4c640
      Nikolay Aleksandrov authored
      security_xfrm_policy_alloc can be called in atomic context so the
      allocation should be done with GFP_ATOMIC. Add an argument to let the
      callers choose the appropriate way. In order to do so a gfp argument
      needs to be added to the method xfrm_policy_alloc_security in struct
      security_operations and to the internal function
      selinux_xfrm_alloc_user. After that switch to GFP_ATOMIC in the atomic
      callers and leave GFP_KERNEL as before for the rest.
      The path that needed the gfp argument addition is:
      security_xfrm_policy_alloc -> security_ops.xfrm_policy_alloc_security ->
      all users of xfrm_policy_alloc_security (e.g. selinux_xfrm_policy_alloc) ->
      selinux_xfrm_alloc_user (here the allocation used to be GFP_KERNEL only)
      Now adding a gfp argument to selinux_xfrm_alloc_user requires us to also
      add it to security_context_to_sid which is used inside and prior to this
      patch did only GFP_KERNEL allocation. So add gfp argument to
      security_context_to_sid and adjust all of its callers as well.
      CC: Paul Moore <paul@paul-moore.com>
      CC: Dave Jones <davej@redhat.com>
      CC: Steffen Klassert <steffen.klassert@secunet.com>
      CC: Fan Du <fan.du@windriver.com>
      CC: David S. Miller <davem@davemloft.net>
      CC: LSM list <linux-security-module@vger.kernel.org>
      CC: SELinux list <selinux@tycho.nsa.gov>
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Acked-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
  25. 07 Mar, 2014 1 commit
  26. 20 Feb, 2014 1 commit
  27. 17 Feb, 2014 1 commit
    • Nicolas Dichtel's avatar
      ipsec: add support of limited SA dump · d3623099
      Nicolas Dichtel authored
      The goal of this patch is to allow userland to dump only a part of SA by
      specifying a filter during the dump.
      The kernel is in charge to filter SA, this avoids to generate useless netlink
      traffic (it save also some cpu cycles). This is particularly useful when there
      is a big number of SA set on the system.
      Note that I removed the union in struct xfrm_state_walk to fix a problem on arm.
      struct netlink_callback->args is defined as a array of 6 long and the first long
      is used in xfrm code to flag the cb as initialized. Hence, we must have:
      sizeof(struct xfrm_state_walk) <= sizeof(long) * 5.
      With the union, it was false on arm (sizeof(struct xfrm_state_walk) was
      sizeof(long) * 7), due to the padding.
      In fact, whatever the arch is, this union seems useless, there will be always
      padding after it. Removing it will not increase the size of this struct (and
      reduce it on arm).
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
  28. 13 Feb, 2014 1 commit
  29. 12 Feb, 2014 1 commit
  30. 14 Jan, 2014 1 commit
  31. 02 Jan, 2014 2 commits
  32. 16 Dec, 2013 2 commits
    • Fan Du's avatar
      xfrm: export verify_userspi_info for pkfey and netlink interface · 776e9dd9
      Fan Du authored
      In order to check against valid IPcomp spi range, export verify_userspi_info
      for both pfkey and netlink interface.
      Signed-off-by: default avatarFan Du <fan.du@windriver.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
    • Fan Du's avatar
      xfrm: check user specified spi for IPComp · ea9884b3
      Fan Du authored
      IPComp connection between two hosts is broken if given spi bigger
      than 0xffff.
      ip xfrm policy update dst src dir out action allow \
             tmpl dst src proto comp spi $OUTSPI
      ip xfrm policy update src dst dir in action allow \
             tmpl src dst proto comp spi $INSPI
      ip xfrm state add src dst  proto comp spi $INSPI \
      		comp deflate
      ip xfrm state add dst src  proto comp spi $OUTSPI \
      		comp deflate
      tcpdump can capture outbound ping packet, but inbound packet is
      dropped with XfrmOutNoStates errors. It looks like spi value used
      for IPComp is expected to be 16bits wide only.
      Signed-off-by: default avatarFan Du <fan.du@windriver.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
  33. 06 Dec, 2013 3 commits
    • Fan Du's avatar
      xfrm: Namespacify xfrm state/policy locks · 283bc9f3
      Fan Du authored
      By semantics, xfrm layer is fully name space aware,
      so will the locks, e.g. xfrm_state/pocliy_lock.
      Ensure exclusive access into state/policy link list
      for different name space with one global lock is not
      right in terms of semantics aspect at first place,
      as they are indeed mutually independent with each
      other, but also more seriously causes scalability
      One practical scenario is on a Open Network Stack,
      more than hundreds of lxc tenants acts as routers
      within one host, a global xfrm_state/policy_lock
      becomes the bottleneck. But onces those locks are
      decoupled in a per-namespace fashion, locks contend
      is just with in specific name space scope, without
      causing additional SPD/SAD access delay for other
      name space.
      Also this patch improve scalability while as without
      changing original xfrm behavior.
      Signed-off-by: default avatarFan Du <fan.du@windriver.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
    • Fan Du's avatar
      xfrm: Using the right namespace to migrate key info · 8d549c4f
      Fan Du authored
      because the home agent could surely be run on a different
      net namespace other than init_net. The original behavior
      could lead into inconsistent of key info.
      Signed-off-by: default avatarFan Du <fan.du@windriver.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
    • Fan Du's avatar
      xfrm: Try to honor policy index if it's supplied by user · e682adf0
      Fan Du authored
      xfrm code always searches for unused policy index for
      newly created policy regardless whether or not user
      space policy index hint supplied.
      This patch enables such feature so that using
      "ip xfrm ... index=xxx" can be used by user to set
      specific policy index.
      Currently this beahvior is broken, so this patch make
      it happen as expected.
      Signed-off-by: default avatarFan Du <fan.du@windriver.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>