lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 10 Nov 2017 13:04:59 +1100
From:   Herbert Xu <herbert@...dor.apana.org.au>
To:     Dmitry Vyukov <dvyukov@...gle.com>
Cc:     syzbot 
        <bot+413384116f7f7dab7903d54c53fc4af6a4441965@...kaller.appspotmail.com>,
        David Miller <davem@...emloft.net>,
        LKML <linux-kernel@...r.kernel.org>,
        netdev <netdev@...r.kernel.org>,
        Steffen Klassert <steffen.klassert@...unet.com>,
        syzkaller-bugs@...glegroups.com
Subject: Re: kernel BUG at net/key/af_key.c:LINE!

On Thu, Nov 09, 2017 at 10:38:57PM +1100, Herbert Xu wrote:
> 
> The xfrm code path is meant to forbid the creation of such a policy.
> I don't currently see how this is bypassing that check.  But
> clearly it has found a way through the check since it's crashing.

By castrating the reproducer to not perform a pfkey dump I have
captured the corrupted policy via xfrm:

src ???/0 dst ???/0 uid 0
        socket in action allow index 2083 priority 0 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft 0(bytes), hard 0(bytes)
          limit: soft 0(packets), hard 0(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-10 09:58:17 use 2017-11-10 09:58:20
        tmpl src ac14:bb:: dst ::
                proto 0 spi 0x00000000(0) reqid 0(0x00000000) mode transport
                level 5 share any 
                enc-mask 00000000 auth-mask 00000000 comp-mask 00000000

For comparison here is a good policy that was also created by the
reproducer:

src fe80::bb/0 dst ::/0 uid 0
        socket in action allow index 2083 priority 0 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft 0(bytes), hard 0(bytes)
          limit: soft 0(packets), hard 0(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-10 09:58:17 use 2017-11-10 09:58:17
        tmpl src ac14:bb:: dst ::
                proto 0 spi 0x00000000(0) reqid 0(0x00000000) mode transport
                level 5 share any 
                enc-mask 00000000 auth-mask 00000000 comp-mask 00000000

Cheers,
-- 
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ