| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2ae16588-2972-a797-9310-4f9d56b7348b@android.com>
Date: Wed, 22 Jul 2020 03:20:59 -0700
From: Mark Salyzyn <salyzyn@...roid.com>
To: Steffen Klassert <steffen.klassert@...unet.com>
Cc: linux-kernel@...r.kernel.org, kernel-team@...roid.com,
netdev@...r.kernel.org, Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>
Subject: Re: af_key: pfkey_dump needs parameter validation
On 7/22/20 2:33 AM, Steffen Klassert wrote:
> On Tue, Jul 21, 2020 at 06:23:54AM -0700, Mark Salyzyn wrote:
>> In pfkey_dump() dplen and splen can both be specified to access the
>> xfrm_address_t structure out of bounds in__xfrm_state_filter_match()
>> when it calls addr_match() with the indexes. Return EINVAL if either
>> are out of range.
>>
>> Signed-off-by: Mark Salyzyn <salyzyn@...roid.com>
>> Cc: netdev@...r.kernel.org
>> Cc: linux-kernel@...r.kernel.org
>> Cc: kernel-team@...roid.com
>> ---
>> Should be back ported to the stable queues because this is a out of
>> bounds access.
> Please do a v2 and add a proper 'Fixes' tag if this is a fix that
> needs to be backported.
>
> Thanks!
Confused because this code was never right? From 2008 there was a
rewrite that instantiated this fragment of code so that it could handle
continuations for overloaded receive queues, but it was not right before
the adjustment.
Fixes: 83321d6b9872b94604e481a79dc2c8acbe4ece31 ("[AF_KEY]: Dump SA/SP
entries non-atomically")
that is reaching back more than 12 years and the blame is poorly aimed
AFAIK.
Sincerely -- Mark Salyzyn
Powered by blists - more mailing lists