lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Jul 2020 03:20:59 -0700 From: Mark Salyzyn <salyzyn@...roid.com> To: Steffen Klassert <steffen.klassert@...unet.com> Cc: linux-kernel@...r.kernel.org, kernel-team@...roid.com, netdev@...r.kernel.org, Herbert Xu <herbert@...dor.apana.org.au>, "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org> Subject: Re: af_key: pfkey_dump needs parameter validation On 7/22/20 2:33 AM, Steffen Klassert wrote: > On Tue, Jul 21, 2020 at 06:23:54AM -0700, Mark Salyzyn wrote: >> In pfkey_dump() dplen and splen can both be specified to access the >> xfrm_address_t structure out of bounds in__xfrm_state_filter_match() >> when it calls addr_match() with the indexes. Return EINVAL if either >> are out of range. >> >> Signed-off-by: Mark Salyzyn <salyzyn@...roid.com> >> Cc: netdev@...r.kernel.org >> Cc: linux-kernel@...r.kernel.org >> Cc: kernel-team@...roid.com >> --- >> Should be back ported to the stable queues because this is a out of >> bounds access. > Please do a v2 and add a proper 'Fixes' tag if this is a fix that > needs to be backported. > > Thanks! Confused because this code was never right? From 2008 there was a rewrite that instantiated this fragment of code so that it could handle continuations for overloaded receive queues, but it was not right before the adjustment. Fixes: 83321d6b9872b94604e481a79dc2c8acbe4ece31 ("[AF_KEY]: Dump SA/SP entries non-atomically") that is reaching back more than 12 years and the blame is poorly aimed AFAIK. Sincerely -- Mark Salyzyn
Powered by blists - more mailing lists