[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 09 Sep 2017 22:47:39 +0100
From: Ben Hutchings <ben@...adent.org.uk>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC: akpm@...ux-foundation.org,
"Steffen Klassert" <steffen.klassert@...unet.com>,
"Andrey Konovalov" <andreyknvl@...gle.com>
Subject: [PATCH 3.2 002/106] af_key: Fix slab-out-of-bounds in
pfkey_compile_policy.
3.2.93-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Steffen Klassert <steffen.klassert@...unet.com>
commit d90c902449a7561f1b1d58ba5a0d11728ce8b0b2 upstream.
The sadb_x_sec_len is stored in the unit 'byte divided by eight'.
So we have to multiply this value by eight before we can do
size checks. Otherwise we may get a slab-out-of-bounds when
we memcpy the user sec_ctx.
Fixes: df71837d502 ("[LSM-IPSec]: Security association restriction.")
Reported-by: Andrey Konovalov <andreyknvl@...gle.com>
Tested-by: Andrey Konovalov <andreyknvl@...gle.com>
Signed-off-by: Steffen Klassert <steffen.klassert@...unet.com>
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
net/key/af_key.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3230,7 +3230,7 @@ static struct xfrm_policy *pfkey_compile
p += pol->sadb_x_policy_len*8;
sec_ctx = (struct sadb_x_sec_ctx *)p;
if (len < pol->sadb_x_policy_len*8 +
- sec_ctx->sadb_x_sec_len) {
+ sec_ctx->sadb_x_sec_len*8) {
*dir = -EINVAL;
goto out;
}
Powered by blists - more mailing lists