| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20170913104416.GG31384@secunet.com>
Date: Wed, 13 Sep 2017 12:44:16 +0200
From: Steffen Klassert <steffen.klassert@...unet.com>
To: Alexey Kodanev <alexey.kodanev@...cle.com>
CC: <netdev@...r.kernel.org>, Herbert Xu <herbert@...dor.apana.org.au>,
"David Miller" <davem@...emloft.net>
Subject: Re: [PATCH] vti: fix NULL dereference in xfrm_input()
On Tue, Sep 12, 2017 at 02:53:46PM +0300, Alexey Kodanev wrote:
> Can be reproduced with LTP tests:
> # icmp-uni-vti.sh -p ah -a sha256 -m tunnel -S fffffffe -k 1 -s 10
>
> IPv4:
> RIP: 0010:xfrm_input+0x7f9/0x870
> ...
> Call Trace:
> <IRQ>
> vti_input+0xaa/0x110 [ip_vti]
> ? skb_free_head+0x21/0x40
> vti_rcv+0x33/0x40 [ip_vti]
> xfrm4_ah_rcv+0x33/0x60
> ip_local_deliver_finish+0x94/0x1e0
> ip_local_deliver+0x6f/0xe0
> ? ip_route_input_noref+0x28/0x50
> ...
>
> # icmp-uni-vti.sh -6 -p ah -a sha256 -m tunnel -S fffffffe -k 1 -s 10
> IPv6:
> RIP: 0010:xfrm_input+0x7f9/0x870
> ...
> Call Trace:
> <IRQ>
> xfrm6_rcv_tnl+0x3c/0x40
> vti6_rcv+0xd5/0xe0 [ip6_vti]
> xfrm6_ah_rcv+0x33/0x60
> ip6_input_finish+0xee/0x460
> ip6_input+0x3f/0xb0
> ip6_rcv_finish+0x45/0xa0
> ipv6_rcv+0x34b/0x540
>
> xfrm_input() invokes xfrm_rcv_cb() -> vti_rcv_cb(), the last callback
> might call skb_scrub_packet(), which in turn can reset secpath.
>
> Fix it by adding a check that skb->sp is not NULL.
>
> Fixes: 7e9e9202bccc ("xfrm: Clear RX SKB secpath xfrm_offload")
> Signed-off-by: Alexey Kodanev <alexey.kodanev@...cle.com>
Patch applied, thanks Alexey!
Powered by blists - more mailing lists