| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220210080536.GC1223722@gauss3.secunet.de>
Date: Thu, 10 Feb 2022 09:05:36 +0100
From: Steffen Klassert <steffen.klassert@...unet.com>
To: Leon Romanovsky <leon@...nel.org>
CC: Leon Romanovsky <leonro@...dia.com>,
"David S . Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Herbert Xu <herbert@...dor.apana.org.au>,
<netdev@...r.kernel.org>
Subject: Re: [PATCH ipsec-rc] xfrm: enforce validity of offload input flags
On Tue, Feb 08, 2022 at 04:14:32PM +0200, Leon Romanovsky wrote:
> From: Leon Romanovsky <leonro@...dia.com>
>
> struct xfrm_user_offload has flags variable that received user input,
> but kernel didn't check if valid bits were provided. It caused a situation
> where not sanitized input was forwarded directly to the drivers.
>
> For example, XFRM_OFFLOAD_IPV6 define that was exposed, was used by
> strongswan, but not implemented in the kernel at all.
>
> As a solution, check and sanitize input flags to forward
> XFRM_OFFLOAD_INBOUND to the drivers.
>
> Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
> Signed-off-by: Leon Romanovsky <leonro@...dia.com>
Applied, thanks Leon!
Powered by blists - more mailing lists