af_key: Fix send_acquire race with pfkey_register

stable inclusion from stable-v4.19.268 commit 0c76cb8dcaf2561c7acef006af29ab9709fe001c category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I69KBO CVE: NA -------------------------------- [ Upstream commit 7f57f816 ] The function pfkey_send_acquire may race with pfkey_register (which could even be in a different name space). This may result in a buffer overrun. Allocating the maximum amount of memory that could be used prevents this. Reported-by: syzbot+1e9af9185d8850e2c2fa@syzkaller.appspotmail.com Fixes: 1da177e4 ("Linux-2.6.12-rc2") Signed-off-by: N Herbert Xu <herbert@gondor.apana.org.au> Reviewed-by: N Sabrina Dubroca <sd@queasysnail.net> Reviewed-by: N Eric Dumazet <edumazet@google.com> Signed-off-by: N Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>

af_key: Fix send_acquire race with pfkey_register
stable inclusion from stable-v4.19.268 commit 0c76cb8dcaf2561c7acef006af29ab9709fe001c category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I69KBO CVE: NA -------------------------------- [ Upstream commit 7f57f816 ] The function pfkey_send_acquire may race with pfkey_register (which could even be in a different name space). This may result in a buffer overrun. Allocating the maximum amount of memory that could be used prevents this. Reported-by: syzbot+1e9af9185d8850e2c2fa@syzkaller.appspotmail.com Fixes: 1da177e4 ("Linux-2.6.12-rc2") Signed-off-by: N Herbert Xu <herbert@gondor.apana.org.au> Reviewed-by: N Sabrina Dubroca <sd@queasysnail.net> Reviewed-by: N Eric Dumazet <edumazet@google.com> Signed-off-by: N Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>
447a290e · Herbert Xu · Yongqiang Liu · c6ed8217 · 447a290e
隐藏空白更改
内联并排

Showing with 22 addition and 10 deletion

net/key/af_key.c net/key/af_key.c +22 -10

未找到文件。
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2911,7 +2911,7 @@ static int count_ah_combs(const struct xfrm_tmpl *t)
 			break;
 		if (!aalg->pfkey_supported)
 			continue;
-		if (aalg_tmpl_set(t, aalg) && aalg->available)
+		if (aalg_tmpl_set(t, aalg))
 			sz += sizeof(struct sadb_comb);
 	}
 	return sz + sizeof(struct sadb_prop);
@@ -2929,7 +2929,7 @@ static int count_esp_combs(const struct xfrm_tmpl *t)
 		if (!ealg->pfkey_supported)
 			continue;

-		if (!(ealg_tmpl_set(t, ealg) && ealg->available))
+		if (!(ealg_tmpl_set(t, ealg)))
 			continue;

 		for (k = 1; ; k++) {
@@ -2940,16 +2940,17 @@ static int count_esp_combs(const struct xfrm_tmpl *t)
 			if (!aalg->pfkey_supported)
 				continue;

-			if (aalg_tmpl_set(t, aalg) && aalg->available)
+			if (aalg_tmpl_set(t, aalg))
 				sz += sizeof(struct sadb_comb);
 		}
 	}
 	return sz + sizeof(struct sadb_prop);
 }

-static void dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
+static int dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
 {
 	struct sadb_prop *p;
+	int sz = 0;
 	int i;

 	p = skb_put(skb, sizeof(struct sadb_prop));
@@ -2977,13 +2978,17 @@ static void dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
 			c->sadb_comb_soft_addtime = 20*60*60;
 			c->sadb_comb_hard_usetime = 8*60*60;
 			c->sadb_comb_soft_usetime = 7*60*60;
+			sz += sizeof(*c);
 		}
 	}
+
+	return sz + sizeof(*p);
 }

-static void dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
+static int dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
 {
 	struct sadb_prop *p;
+	int sz = 0;
 	int i, k;

 	p = skb_put(skb, sizeof(struct sadb_prop));
@@ -3025,8 +3030,11 @@ static void dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
 			c->sadb_comb_soft_addtime = 20*60*60;
 			c->sadb_comb_hard_usetime = 8*60*60;
 			c->sadb_comb_soft_usetime = 7*60*60;
+			sz += sizeof(*c);
 		}
 	}
+
+	return sz + sizeof(*p);
 }

 static int key_notify_policy_expire(struct xfrm_policy *xp, const struct km_event *c)
@@ -3156,6 +3164,7 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct
 	struct sadb_x_sec_ctx *sec_ctx;
 	struct xfrm_sec_ctx *xfrm_ctx;
 	int ctx_size = 0;
+	int alg_size = 0;

 	sockaddr_size = pfkey_sockaddr_size(x->props.family);
 	if (!sockaddr_size)
@@ -3167,16 +3176,16 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct
 		sizeof(struct sadb_x_policy);

 	if (x->id.proto == IPPROTO_AH)
-		size += count_ah_combs(t);
+		alg_size = count_ah_combs(t);
 	else if (x->id.proto == IPPROTO_ESP)
-		size += count_esp_combs(t);
+		alg_size = count_esp_combs(t);

 	if ((xfrm_ctx = x->security)) {
 		ctx_size = PFKEY_ALIGN8(xfrm_ctx->ctx_len);
 		size +=  sizeof(struct sadb_x_sec_ctx) + ctx_size;
 	}

-	skb =  alloc_skb(size + 16, GFP_ATOMIC);
+	skb =  alloc_skb(size + alg_size + 16, GFP_ATOMIC);
 	if (skb == NULL)
 		return -ENOMEM;

@@ -3230,10 +3239,13 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct
 	pol->sadb_x_policy_priority = xp->priority;

 	/* Set sadb_comb's. */
+	alg_size = 0;
 	if (x->id.proto == IPPROTO_AH)
-		dump_ah_combs(skb, t);
+		alg_size = dump_ah_combs(skb, t);
 	else if (x->id.proto == IPPROTO_ESP)
-		dump_esp_combs(skb, t);
+		alg_size = dump_esp_combs(skb, t);
+
+	hdr->sadb_msg_len += alg_size / 8;

 	/* security context */
 	if (xfrm_ctx) {