lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 24 Apr 2023 15:23:02 +0200
From:   Tobias Brunner <tobias@...ongswan.org>
To:     Steffen Klassert <steffen.klassert@...unet.com>
Cc:     netdev@...r.kernel.org, "David S . Miller" <davem@...emloft.net>,
        Herbert Xu <herbert@...dor.apana.org.au>
Subject: [PATCH ipsec] xfrm: Ensure consistent address families when resolving
 templates

xfrm_state_find() uses `encap_family` of the current template with
the passed local and remote addresses to find a matching state.
This check makes sure that there is no mismatch and out-of-bounds
read in mixed-family scenarios where optional tunnel or BEET mode
templates were skipped that would have changed the addresses to
match the current template's family.

This basically enforces the same check as validate_tmpl(), just at
runtime when one or more optional templates might have been skipped.

Signed-off-by: Tobias Brunner <tobias@...ongswan.org>
---
  net/xfrm/xfrm_policy.c | 5 +++++
  1 file changed, 5 insertions(+)

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 62be042f2ebc..e6dfa55f1c3a 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2440,6 +2440,7 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
  	struct net *net = xp_net(policy);
  	int nx;
  	int i, error;
+	unsigned short prev_family = family;
  	xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
  	xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
  	xfrm_address_t tmp;
@@ -2462,6 +2463,9 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
  					goto fail;
  				local = &tmp;
  			}
+		} else if (prev_family != tmpl->encap_family) {
+			error = -EINVAL;
+			goto fail;
  		}
  
  		x = xfrm_state_find(remote, local, fl, tmpl, policy, &error,
@@ -2471,6 +2475,7 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
  			xfrm[nx++] = x;
  			daddr = remote;
  			saddr = local;
+			prev_family = tmpl->encap_family;
  			continue;
  		}
  		if (x) {
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ