| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 Oct 2022 14:24:55 +0000
From: Zhihao Chen <chenzhihao@...zu.com>
To: <netdev@...r.kernel.org>
CC: <baihaowen@...zu.com>, <steffen.klassert@...unet.com>,
Zhihao Chen <chenzhihao@...zu.com>,
Chonglong Xu <xuchonglong@...zu.com>
Subject: [PATCH] xfrm:fix access to the null pointer in __xfrm_state_delete()
Validate the byseq node before removing it from the hlist of state_byseq.
km.seq cannot be used to determine whether the SA is in the byseq hlist
because xfrm_add_sa() may initialize km.seq to 0 and the SA is not inserted
into hlist. In later network communication, the seq field will increase
after the valid packet is received.
In the above case, the NULL pointer will be accessed and cause a kernel
panic when the SA is being removed from hlist by checking km.seq field in
__xfrm_state_delete().
Call trace:
_xfrm_state_delete+0xb0/0x370
xfrm_del_sa+0x1c8/0x378
xfrm_user_rcv_msg+0x220/0x2d8
netlink_rcv_skb+0x104/0x180
xfrm_netlink_rcv+0x6c/0x118
netlink_unicast_kernel+0x12c/0x320
netlink_unicast+0x1dc/0x424
netlink_sendmsg+0x4b8/0x730
sock_write_iter+0x14c/0x1d8
do_iter_readv_writev+0x164/0x1d8
do_iter_write+0x104/0x2c4
do_writev+0x1a4/0x2d4
_arm64_sys_writev+0x24/0x34
invoke_syscall+0x60/0x150
el0svc_common+0xc8/0x114
do_el0_svc+0x28/0xa0
el0_svc+0x28/0x90
el0t_64_sync_handler+0x88/0xec
el0t_64_sync+0x1b4/0x1b8
Fixes: fe9f1d8779cb ("xfrm: add state hashtable keyed by seq")
Signed-off-by: Zhihao Chen <chenzhihao@...zu.com>
Signed-off-by: Chonglong Xu <xuchonglong@...zu.com>
---
net/xfrm/xfrm_state.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 3d2fe7712ac5..72a6426baef4 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -687,7 +687,7 @@ int __xfrm_state_delete(struct xfrm_state *x)
list_del(&x->km.all);
hlist_del_rcu(&x->bydst);
hlist_del_rcu(&x->bysrc);
- if (x->km.seq)
+ if (x->km.seq && !hlist_unhashed(&x->byseq))
hlist_del_rcu(&x->byseq);
if (x->id.spi)
hlist_del_rcu(&x->byspi);
--
2.25.1
Powered by blists - more mailing lists