lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <e9209b246d7af0a893e017ac56a8594f3ab658a3.1764061159.git.antony.antony@secunet.com>
Date: Tue, 25 Nov 2025 10:30:43 +0100
From: Antony Antony <antony.antony@...unet.com>
To: Steffen Klassert <steffen.klassert@...unet.com>, Herbert Xu
	<herbert@...dor.apana.org.au>, <netdev@...r.kernel.org>
CC: "David S. Miller" <davem@...emloft.net>, Eric Dumazet
	<edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni
	<pabeni@...hat.com>, <devel@...ux-ipsec.org>
Subject: [PATCH RFC ipsec-next 5/5] xfrm: check that SA is in VALID state
 before use

During migration, a state/SA may have been deleted or become invalid.
Since skb(s) may still hold a reference to this deleted state, it could
be reused inadvertently. Using a migrated SA could result in reusing
the same IV for AES-GCM, which must be avoided for an output SA.

Add a check to ensure the state is in XFRM_STATE_VALID before use.
This check is useful for both output and input data paths.

Call chain:
  xfrm_output_one()
    xfrm_state_check_expire()
      if (x->km.state != XFRM_STATE_VALID) ---> new check
         return -EINVAL;
      encapsulate the packet

Signed-off-by: Antony Antony <antony.antony@...unet.com>
---
 net/xfrm/xfrm_state.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 91e0898c458f..c9c5a2daa86f 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2265,6 +2265,9 @@ EXPORT_SYMBOL(xfrm_state_update);
 
 int xfrm_state_check_expire(struct xfrm_state *x)
 {
+	if (x->km.state != XFRM_STATE_VALID)
+		return -EINVAL;
+
 	/* All counters which are needed to decide if state is expired
 	 * are handled by SW for non-packet offload modes. Simply skip
 	 * the following update and save extra boilerplate in drivers.
-- 
2.39.5

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ