[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20200722103700.GP20687@gauss3.secunet.de>
Date: Wed, 22 Jul 2020 12:37:00 +0200
From: Steffen Klassert <steffen.klassert@...unet.com>
To: Mark Salyzyn <salyzyn@...roid.com>
CC: <linux-kernel@...r.kernel.org>, <kernel-team@...roid.com>,
<netdev@...r.kernel.org>, Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>
Subject: Re: af_key: pfkey_dump needs parameter validation
On Wed, Jul 22, 2020 at 03:20:59AM -0700, Mark Salyzyn wrote:
> On 7/22/20 2:33 AM, Steffen Klassert wrote:
> > On Tue, Jul 21, 2020 at 06:23:54AM -0700, Mark Salyzyn wrote:
> > > In pfkey_dump() dplen and splen can both be specified to access the
> > > xfrm_address_t structure out of bounds in__xfrm_state_filter_match()
> > > when it calls addr_match() with the indexes. Return EINVAL if either
> > > are out of range.
> > >
> > > Signed-off-by: Mark Salyzyn <salyzyn@...roid.com>
> > > Cc: netdev@...r.kernel.org
> > > Cc: linux-kernel@...r.kernel.org
> > > Cc: kernel-team@...roid.com
> > > ---
> > > Should be back ported to the stable queues because this is a out of
> > > bounds access.
> > Please do a v2 and add a proper 'Fixes' tag if this is a fix that
> > needs to be backported.
> >
> > Thanks!
>
> Confused because this code was never right? From 2008 there was a rewrite
> that instantiated this fragment of code so that it could handle
> continuations for overloaded receive queues, but it was not right before the
> adjustment.
>
> Fixes: 83321d6b9872b94604e481a79dc2c8acbe4ece31 ("[AF_KEY]: Dump SA/SP
> entries non-atomically")
>
> that is reaching back more than 12 years and the blame is poorly aimed
> AFAIK.
This is just that the stable team knows how far they need to backport
it. If this was never right, then the initial git commit is the right
one for the fixes tag e.g. 'Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")'
Powered by blists - more mailing lists