• Sean Tranchetti's avatar
    xfrm: validate template mode · 5217bec5
    Sean Tranchetti authored
    [ Upstream commit 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa ]
    
    XFRM mode parameters passed as part of the user templates
    in the IP_XFRM_POLICY are never properly validated. Passing
    values other than valid XFRM modes can cause stack-out-of-bounds
    reads to occur later in the XFRM processing:
    
    [  140.535608] ================================================================
    [  140.543058] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x17e4/0x1cc4
    [  140.550306] Read of size 4 at addr ffffffc0238a7a58 by task repro/5148
    [  140.557369]
    [  140.558927] Call trace:
    [  140.558936] dump_backtrace+0x0/0x388
    [  140.558940] show_stack+0x24/0x30
    [  140.558946] __dump_stack+0x24/0x2c
    [  140.558949] dump_stack+0x8c/0xd0
    [  140.558956] print_address_description+0x74/0x234
    [  140.558960] kasan_report+0x240/0x264
    [  140.558963] __asan_report_load4_noabort+0x2c/0x38
    [  140.558967] xfrm_state_find+0x17e4/0x1cc4
    [  140.558971] xfrm_resolve_and_create_bundle+0x40c/0x1fb8
    [  140.558975] xfrm_lookup+0x238/0x1444
    [  140.558977] xfrm_lookup_route+0x48/0x11c
    [  140.558984] ip_route_output_flow+0x88/0xc4
    [  140.558991] raw_sendmsg+0xa74/0x266c
    [  140.558996] inet_sendmsg+0x258/0x3b0
    [  140.559002] sock_sendmsg+0xbc/0xec
    [  140.559005] SyS_sendto+0x3a8/0x5a8
    [  140.559008] el0_svc_naked+0x34/0x38
    [  140.559009]
    [  140.592245] page dumped because: kasan: bad access detected
    [  140.597981] page_owner info is not active (free page?)
    [  140.603267]
    [  140.653503] ================================================================
    Signed-off-by: default avatarSean Tranchetti <stranche@codeaurora.org>
    Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    5217bec5
Name
Last commit
Last update
Documentation Loading commit data...
arch Loading commit data...
block Loading commit data...
certs Loading commit data...
crypto Loading commit data...
drivers Loading commit data...
firmware Loading commit data...
fs Loading commit data...
include Loading commit data...
init Loading commit data...
ipc Loading commit data...
kernel Loading commit data...
lib Loading commit data...
mm Loading commit data...
net Loading commit data...
samples Loading commit data...
scripts Loading commit data...
security Loading commit data...
sound Loading commit data...
tools Loading commit data...
usr Loading commit data...
virt Loading commit data...
.get_maintainer.ignore Loading commit data...
.gitignore Loading commit data...
.mailmap Loading commit data...
COPYING Loading commit data...
CREDITS Loading commit data...
Kbuild Loading commit data...
Kconfig Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
README Loading commit data...
REPORTING-BUGS Loading commit data...