lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180201083418.rfarzrodccdy54xx@gauss3.secunet.de>
Date:   Thu, 1 Feb 2018 09:34:18 +0100
From:   Steffen Klassert <steffen.klassert@...unet.com>
To:     syzbot <syzbot+e1a1577ca8bcb47b769a@...kaller.appspotmail.com>
CC:     <davem@...emloft.net>, <herbert@...dor.apana.org.au>,
        <linux-kernel@...r.kernel.org>, <netdev@...r.kernel.org>,
        <syzkaller-bugs@...glegroups.com>
Subject: Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (4)

On Wed, Jan 31, 2018 at 07:58:01AM -0800, syzbot wrote:
> Hello,
> 
> syzbot hit the following crash on upstream commit
> 72906f38934a49faf4d2d38ea9ae32adcf7d5d0c (Tue Jan 30 21:04:50 2018 +0000)
> Merge branch 'x86-hyperv-for-linus' of
> git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
> 
> So far this crash happened 4 times on net-next, upstream.
> C reproducer is attached.
> syzkaller reproducer is attached.
> Raw console output is attached.
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached.
> user-space arch: i386

Looks like we forgot to refuse to insert socket policies
when userspace is 32 bit and kernel is 64 bit. We do this
already for policies inserted with netlink because we don't
have a compat layer for xfrm. This means that userspace
and kernel structues don't match, leading to broken
configurations.

I don't have 32 bit userspace on 64 bit machines, so I
can't test this myself. Can you please test this patch:

Subject: [PATCH RFC] xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems

We don't have compat layer for xfrm, so userspace and kernel
structures have different sizes in this case. This results in
a broken confuguration, so refuse to configure socket policies
when trying to insert from 32 bit userspace as we do it already
with policies inserted via netlink.

Signed-off-by: Steffen Klassert <steffen.klassert@...unet.com>
---
 net/xfrm/xfrm_state.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index a3785f538018..25861a4ef872 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2056,6 +2056,11 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen
 	struct xfrm_mgr *km;
 	struct xfrm_policy *pol = NULL;
 
+#ifdef CONFIG_COMPAT
+	if (in_compat_syscall())
+		return -EOPNOTSUPP;
+#endif
+
 	if (optlen <= 0 || optlen > PAGE_SIZE)
 		return -EMSGSIZE;
 
-- 
2.14.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ