lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 2 Nov 2017 13:25:28 +0100
From:   Florian Westphal <fw@...len.de>
To:     Steffen Klassert <steffen.klassert@...unet.com>
Cc:     Florian Westphal <fw@...len.de>,
        syzbot 
        <bot+19b21aa652248382e2b8cbb81fa1cdc03b4bda01@...kaller.appspotmail.com>,
        davem@...emloft.net, herbert@...dor.apana.org.au,
        linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        syzkaller-bugs@...glegroups.com, thomas.egerer@...unet.com
Subject: Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (2)

Steffen Klassert <steffen.klassert@...unet.com> wrote:
> On Wed, Nov 01, 2017 at 11:06:08PM +0100, Florian Westphal wrote:
> > I also don't understand how address comparision is supposed to work in this case,
> > it seems that if saddr/daddr are v4 and template v6 we compare full ipv6 addresses
> > (how would that succeed...?) and, if saddr/daddr is v6 add template is v4 we just
> > compare the first 32bit of the ipv6 addresses...?
> 
> When we do tunnel or beet mode, we pass saddr and daddr from the
> template to xfrm_state_find(), this should be ok. On transport
> mode, we pass the addresses from the flowi, assuming that the
> IP addresses (and address family) don't change during transformation.
> This assumption is wrong in the IPv4 mapped IPv6 case, packet
> is IPv4 and template is IPv6.

Right, sendto() uses ipv4 address on ipv6 socket.

> I'd propose to use the addresses from the template unconditionally,
> like the (untested) patch below does.
> 
> Unfortunalely the reproducer does not work with my config,
> sendto returns EAGAIN. Could anybody try this patch?

The reproducer no longer causes KASAN spew with your patch,
but i don't have a test case that actually creates/uses a tunnel.

Powered by blists - more mailing lists