lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Fri, 11 Jan 2019 09:41:51 +0100
From:   Steffen Klassert <>
To:     Florian Westphal <>
CC:     <>, <>,
Subject: Re: [PATCH ipsec] xfrm: refine validation of template and selector

On Wed, Jan 09, 2019 at 02:37:34PM +0100, Florian Westphal wrote:
> The check assumes that in transport mode, the first templates family
> must match the address family of the policy selector.
> Syzkaller managed to build a template using MODE_ROUTEOPTIMIZATION,
> with ipv4-in-ipv6 chain, leading to following splat:
> BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x1db/0x1854
> Read of size 4 at addr ffff888063e57aa0 by task a.out/2050
>  xfrm_state_find+0x1db/0x1854
>  xfrm_tmpl_resolve+0x100/0x1d0
>  xfrm_resolve_and_create_bundle+0x108/0x1000 [..]
> Problem is that addresses point into flowi4 struct, but xfrm_state_find
> treats them as being ipv6 because it uses templ->encap_family is used
> (AF_INET6 in case of reproducer) rather than family (AF_INET).
> This patch inverts the logic: Enforce 'template family must match
> selector' EXCEPT for tunnel and BEET mode.
> In BEET and Tunnel mode, xfrm_tmpl_resolve_one will have remote/local
> address pointers changed to point at the addresses found in the template,
> rather than the flowi ones, so no oob read will occur.
> Reported-by:
> Reported-by: Daniel Borkmann <>
> Signed-off-by: Florian Westphal <>

Applied, thanks Florian!

Powered by blists - more mailing lists