lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 29 Jul 2022 10:30:31 +0800
From:   Herbert Xu <>
To:     Abhishek Shah <>
        Gabriel Ryan <>,
        Fan Du <>
Subject: Re: Race 1 in net/xfrm/xfrm_algo.c

On Thu, Jul 28, 2022 at 08:00:00PM -0400, Abhishek Shah wrote:
> Dear Herbert,
> Thanks for your quick reply and sorry for not being more clear about the
> inconsistencies. We identified security implications when algorithms
> disappear or reappear during the execution of *compose_sadb_supported*.
> In more detail,
> 1) If after *xfrm_count_pfkey_auth_supported* has finished counting the
> available algos, a secondary thread changes the availability of an algo
> through *xfrm_probe_algs*, it will return an incorrect number of available
> algorithms. If an algo was added during the racing access, the code
> allocates a buffer that is smaller than the number of available algorithms
> at net/key/af_key.c#L1619
> <>.
> This will result in an out of bounds write when the buffer is later
> populated at net/key/af_key.c#L1657
> <>.

OK this is a real bug caused by this commit:

commit 283bc9f35bbbcb0e9ab4e6d2427da7f9f710d52d
Author: Fan Du <>
Date:   Thu Nov 7 17:47:50 2013 +0800

    xfrm: Namespacify xfrm state/policy locks

It neglected to convert xfrm_probe_algs to namespaces so the
previous assumption of exclusive ownership of xfrm_algo_list
by the current afkey request is no longer true.

Email: Herbert Xu <>
Home Page:
PGP Key:

Powered by blists - more mailing lists