lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 29 Dec 2020 17:01:27 +0100
From:   Florian Westphal <fw@...len.de>
To:     Visa Hankala <visa@...kala.org>
Cc:     Florian Westphal <fw@...len.de>,
        Steffen Klassert <steffen.klassert@...unet.com>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: [PATCH] xfrm: Fix wraparound in xfrm_policy_addr_delta()

Visa Hankala <visa@...kala.org> wrote:
> Use three-way comparison for address elements to avoid integer
> wraparound in the result of xfrm_policy_addr_delta().
> 
> This ensures that the search trees are built and traversed correctly
> when the difference between compared address elements is larger
> than INT_MAX.

Please provide an update to tools/testing/selftests/net/xfrm_policy.sh
that shows that this is a problem.

>  	switch (family) {
>  	case AF_INET:
> -		if (sizeof(long) == 4 && prefixlen == 0)
> -			return ntohl(a->a4) - ntohl(b->a4);
> -		return (ntohl(a->a4) & ((~0UL << (32 - prefixlen)))) -
> -		       (ntohl(b->a4) & ((~0UL << (32 - prefixlen))));
> +		mask = ~0U << (32 - prefixlen);
> +		ma = ntohl(a->a4) & mask;
> +		mb = ntohl(b->a4) & mask;

This is suspicious.  Is prefixlen == 0 impossible?

If not, then after patch
mask = ~0U << 32;

... and function returns 0.

Powered by blists - more mailing lists