lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250122123936.GB390877@kernel.org>
Date: Wed, 22 Jan 2025 12:39:36 +0000
From: Simon Horman <horms@...nel.org>
To: Dan Carpenter <dan.carpenter@...aro.org>
Cc: Steffen Klassert <steffen.klassert@...unet.com>,
	Herbert Xu <herbert@...dor.apana.org.au>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
	kernel-janitors@...r.kernel.org
Subject: Re: [PATCH net] xfrm: fix integer overflow in
 xfrm_replay_state_esn_len()

On Tue, Jan 21, 2025 at 02:16:01PM +0300, Dan Carpenter wrote:
> The problem is that "replay_esn->bmp_len" comes from the user and it's
> a u32.  The xfrm_replay_state_esn_len() function also returns a u32.
> So if we choose a ->bmp_len which very high then the total will be
> more than UINT_MAX and value will be truncated when we return.  The
> returned value will be smaller than expected causing problems in the
> caller.
> 
> To fix this:
> 1) Use size_add() and size_mul().  This change is necessary for 32bit
>    systems.
> 2) Change the type of xfrm_replay_state_esn_len() and related variables
>    from u32 to size_t.
> 3) Remove the casts to (int).  The size should never be negative.
>    Generally, values which come from size_add/mul() should stay as type
>    size_t and not be truncated to user fewer than all the bytes in a
>    unsigned long.
> 
> Cc: stable@...r.kernel.org
> Fixes: 9736acf395d3 ("xfrm: Add basic infrastructure to support IPsec extended sequence numbers")
> Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
> ---
> The one caller that I didn't modify was xfrm_sa_len().  That's a bit
> complicated and also I'm kind of hoping that we don't handle user
> controlled data in that function?  The place where we definitely are
> handling user data is in xfrm_alloc_replay_state_esn() and this patch
> fixes that.

Yes, that is a bit "complex".

FWIIW, my opinion is that your patch is correct and it improves things -
even if the end result may still have imperfections. And for that reason
I'm in favour of it being accepted.

Reviewed-by: Simon Horman <horms@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ