lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Mon, 23 May 2022 18:44:13 +0200
From:   Greg KH <gregkh@...uxfoundation.org>
To:     linux-kernel@...r.kernel.org
Cc:     paskripkin@...il.com, steffen.klassert@...unet.com,
        syzbot+b2be9dd8ca6f6c73ee2d@...kaller.appspotmail.com,
        stable-commits@...r.kernel.org
Subject: Re: Patch "net: xfrm: fix shift-out-of-bounds in xfrm_get_default"
 has been added to the 5.10-stable tree

On Mon, May 23, 2022 at 06:34:44PM +0200, gregkh@...uxfoundation.org wrote:
> 
> This is a note to let you know that I've just added the patch titled
> 
>     net: xfrm: fix shift-out-of-bounds in xfrm_get_default
> 
> to the 5.10-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> The filename of the patch is:
>      net-xfrm-fix-shift-out-of-bounds-in-xfrm_get_default.patch
> and it can be found in the queue-5.10 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@...r.kernel.org> know about it.
> 
> 
> >From 3c10ffddc61f8a1a59e29a110ba70b47e679206a Mon Sep 17 00:00:00 2001
> From: Pavel Skripkin <paskripkin@...il.com>
> Date: Thu, 2 Sep 2021 22:04:00 +0300
> Subject: net: xfrm: fix shift-out-of-bounds in xfrm_get_default
> 
> From: Pavel Skripkin <paskripkin@...il.com>
> 
> commit 3c10ffddc61f8a1a59e29a110ba70b47e679206a upstream.
> 
> Syzbot hit shift-out-of-bounds in xfrm_get_default. The problem was in
> missing validation check for user data.
> 
> up->dirmask comes from user-space, so we need to check if this value
> is less than XFRM_USERPOLICY_DIRMASK_MAX to avoid shift-out-of-bounds bugs.
> 
> Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy")
> Reported-and-tested-by: syzbot+b2be9dd8ca6f6c73ee2d@...kaller.appspotmail.com
> Signed-off-by: Pavel Skripkin <paskripkin@...il.com>
> Signed-off-by: Steffen Klassert <steffen.klassert@...unet.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> ---
>  net/xfrm/xfrm_user.c |    5 +++++
>  1 file changed, 5 insertions(+)
> 
> --- a/net/xfrm/xfrm_user.c
> +++ b/net/xfrm/xfrm_user.c
> @@ -1989,6 +1989,11 @@ static int xfrm_get_default(struct sk_bu
>  		return -EMSGSIZE;
>  	}
>  
> +	if (up->dirmask >= XFRM_USERPOLICY_DIRMASK_MAX) {
> +		kfree_skb(r_skb);
> +		return -EINVAL;
> +	}
> +
>  	r_up = nlmsg_data(r_nlh);
>  	r_up->in = net->xfrm.policy_default[XFRM_POLICY_IN];
>  	r_up->fwd = net->xfrm.policy_default[XFRM_POLICY_FWD];
> 
> 
> Patches currently in stable-queue which might be from paskripkin@...il.com are
> 
> queue-5.10/net-xfrm-fix-shift-out-of-bounce.patch
> queue-5.10/net-xfrm-fix-shift-out-of-bounds-in-xfrm_get_default.patch

Nevermind, this breaks the build, now dropping it.

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ