iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Sean Tranchetti 5217bec5a6 xfrm: validate template mode 
[ Upstream commit 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa ]

XFRM mode parameters passed as part of the user templates
in the IP_XFRM_POLICY are never properly validated. Passing
values other than valid XFRM modes can cause stack-out-of-bounds
reads to occur later in the XFRM processing:

[  140.535608] ================================================================
[  140.543058] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x17e4/0x1cc4
[  140.550306] Read of size 4 at addr ffffffc0238a7a58 by task repro/5148
[  140.557369]
[  140.558927] Call trace:
[  140.558936] dump_backtrace+0x0/0x388
[  140.558940] show_stack+0x24/0x30
[  140.558946] __dump_stack+0x24/0x2c
[  140.558949] dump_stack+0x8c/0xd0
[  140.558956] print_address_description+0x74/0x234
[  140.558960] kasan_report+0x240/0x264
[  140.558963] __asan_report_load4_noabort+0x2c/0x38
[  140.558967] xfrm_state_find+0x17e4/0x1cc4
[  140.558971] xfrm_resolve_and_create_bundle+0x40c/0x1fb8
[  140.558975] xfrm_lookup+0x238/0x1444
[  140.558977] xfrm_lookup_route+0x48/0x11c
[  140.558984] ip_route_output_flow+0x88/0xc4
[  140.558991] raw_sendmsg+0xa74/0x266c
[  140.558996] inet_sendmsg+0x258/0x3b0
[  140.559002] sock_sendmsg+0xbc/0xec
[  140.559005] SyS_sendto+0x3a8/0x5a8
[  140.559008] el0_svc_naked+0x34/0x38
[  140.559009]
[  140.592245] page dumped because: kasan: bad access detected
[  140.597981] page_owner info is not active (free page?)
[  140.603267]
[  140.653503] ================================================================

Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2018-11-10 07:41:33 -08:00
..
6lowpan
6lowpan: iphc: reset mac_header after decompress to fix panic
2018-10-10 08:52:04 +02:00
9p
net/9p: fix error path of p9_virtio_probe
2018-09-15 09:40:39 +02:00
802
8021q
vlan: also check phy_driver ts_info for vlan's real device
2018-04-13 19:50:25 +02:00
appletalk
atm
net: atm: Fix potential Spectre v1
2018-05-16 10:06:51 +02:00
ax25
ax25: Fix segfault after sock connection timeout
2017-02-04 09:45:09 +01:00
batman-adv
batman-adv: fix packet loss for broadcasted DHCP packets to a server
2018-05-30 07:49:06 +02:00
bluetooth
Bluetooth: hidp: Fix handling of strncpy for hid->name information
2018-09-19 22:48:58 +02:00
bridge
ebtables: arpreply: Add the standard target sanity check
2018-10-13 09:11:35 +02:00
caif
net: caif: Add a missing rcu_read_unlock() in caif_flow_cb
2018-09-05 09:18:34 +02:00
can
can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once
2018-01-31 12:06:08 +01:00
ceph
libceph: validate con->state at the top of try_write()
2018-05-02 07:53:42 -07:00
core
rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096
2018-10-20 09:52:37 +02:00
dcb
net: dcb: For wild-card lookups, use priority -1, not 0
2018-09-19 22:48:58 +02:00
dccp
dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart()
2018-08-22 07:48:35 +02:00
decnet
dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock
2018-02-25 11:03:38 +01:00
dns_resolver
KEYS: DNS: fix parsing multiple options
2018-07-22 14:25:54 +02:00
dsa
net: dsa: Do not suspend/resume closed slave_dev
2018-08-06 16:24:41 +02:00
ethernet
net: introduce device min_header_len
2017-02-18 16:39:27 +01:00
hsr
net/hsr: fix a warning message
2015-11-23 14:56:15 -05:00
ieee802154
net: 6lowpan: fix reserved space for single frames
2018-09-09 20:04:32 +02:00
ipv4
net: ipv4: update fnhe_pmtu when first hop's MTU changes
2018-10-20 09:52:36 +02:00
ipv6
xfrm6: call kfree_skb when skb is toobig
2018-11-10 07:41:32 -08:00
ipx
ipx: call ipxitf_put() in ioctl error path
2017-05-25 14:30:13 +02:00
irda
irda: Only insert new objects into the global database via setsockopt
2018-09-15 09:40:40 +02:00
iucv
net/iucv: Free memory obtained by kzalloc
2018-03-31 18:12:33 +02:00
key
af_key: Always verify length of provided sadb_key
2018-06-16 09:54:25 +02:00
l2tp
l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache
2018-08-22 07:48:35 +02:00
l3mdev
net: Add netif_is_l3_slave
2015-10-07 04:27:43 -07:00
lapb
llc
llc: use refcount_inc_not_zero() for llc_sap_find()
2018-08-22 07:48:35 +02:00
mac80211
mac80211: Always report TX status
2018-11-10 07:41:33 -08:00
mac802154
net: mac802154: tx: expand tailroom if necessary
2018-09-09 20:04:32 +02:00
mpls
mpls, nospec: Sanitize array index in mpls_label_ok()
2018-03-11 16:19:47 +01:00
netfilter
netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
2018-09-19 22:48:59 +02:00
netlabel
netlabel: check for IPV4MASK in addrinfo_get
2018-10-20 09:52:36 +02:00
netlink
netlink: Don't shift on 64 for ngroups
2018-08-09 12:19:28 +02:00
netrom
nfc
NFC: Fix possible memory corruption when handling SHDLC I-Frame commands
2018-09-29 03:08:51 -07:00
openvswitch
openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found
2018-05-26 08:48:47 +02:00
packet
packet: refine ring v3 block size test to hold one frame
2018-08-24 13:27:01 +02:00
phonet
phonet: properly unshare skbs in phonet_rcv()
2016-01-31 11:29:00 -08:00
rds
rds: avoid unenecessary cong_update in loop transport
2018-07-22 14:25:54 +02:00
rfkill
rfkill: gpio: fix memory leak in probe error path
2018-05-16 10:06:51 +02:00
rose
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2015-06-24 02:58:51 -07:00
rxrpc
rxrpc: check return value of skb_to_sgvec always
2018-04-13 19:50:23 +02:00
sched
sch_tbf: fix two null pointer dereferences on init failure
2018-09-15 09:40:42 +02:00
sctp
sctp: delay the authentication for the duplicated cookie-echo chunk
2018-05-26 08:48:49 +02:00
sunrpc
rpc_pipefs: fix double-dput()
2018-04-24 09:32:11 +02:00
switchdev
switchdev: pass pointer to fib_info instead of copy
2016-06-24 10:18:16 -07:00
tipc
tipc: add policy for TIPC_NLA_NET_ADDR
2018-04-29 07:50:06 +02:00
unix
net/unix: don't show information about sockets from other namespaces
2017-11-18 11:11:06 +01:00
vmw_vsock
vsock: split dwork to avoid reinitializations
2018-08-22 07:48:35 +02:00
wimax
net:wimax: Fix doucble word "the the" in networking.xml
2015-08-09 22:43:52 -07:00
wireless
cfg80211: reg: Init wiphy_idx in regulatory_hint_core()
2018-11-10 07:41:33 -08:00
x25
net: x25: fix one potential use-after-free issue
2018-04-13 19:50:07 +02:00
xfrm
xfrm: validate template mode
2018-11-10 07:41:33 -08:00
compat.c
net: support compat 64-bit time in {s,g}etsockopt
2018-05-26 08:48:47 +02:00
Kconfig
Make DST_CACHE a silent config option
2018-02-25 11:03:37 +01:00
Makefile
net: Introduce L3 Master device abstraction
2015-09-29 20:40:32 -07:00
socket.c
net: socket: fix potential spectre v1 gadget in socketcall
2018-08-06 16:24:42 +02:00
sysctl_net.c
net: Use ns_capable_noaudit() when determining net sysctl permissions
2016-09-15 08:27:50 +02:00