| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 11 Jan 2019 09:41:51 +0100
From: Steffen Klassert <steffen.klassert@...unet.com>
To: Florian Westphal <fw@...len.de>
CC: <3ntr0py1337@...il.com>, <daniel@...earbox.net>,
<netdev@...r.kernel.org>
Subject: Re: [PATCH ipsec] xfrm: refine validation of template and selector
families
On Wed, Jan 09, 2019 at 02:37:34PM +0100, Florian Westphal wrote:
> The check assumes that in transport mode, the first templates family
> must match the address family of the policy selector.
>
> Syzkaller managed to build a template using MODE_ROUTEOPTIMIZATION,
> with ipv4-in-ipv6 chain, leading to following splat:
>
> BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x1db/0x1854
> Read of size 4 at addr ffff888063e57aa0 by task a.out/2050
> xfrm_state_find+0x1db/0x1854
> xfrm_tmpl_resolve+0x100/0x1d0
> xfrm_resolve_and_create_bundle+0x108/0x1000 [..]
>
> Problem is that addresses point into flowi4 struct, but xfrm_state_find
> treats them as being ipv6 because it uses templ->encap_family is used
> (AF_INET6 in case of reproducer) rather than family (AF_INET).
>
> This patch inverts the logic: Enforce 'template family must match
> selector' EXCEPT for tunnel and BEET mode.
>
> In BEET and Tunnel mode, xfrm_tmpl_resolve_one will have remote/local
> address pointers changed to point at the addresses found in the template,
> rather than the flowi ones, so no oob read will occur.
>
> Reported-by: 3ntr0py1337@...il.com
> Reported-by: Daniel Borkmann <daniel@...earbox.net>
> Signed-off-by: Florian Westphal <fw@...len.de>
Applied, thanks Florian!
Powered by blists - more mailing lists