1. 22 8月, 2023 6 次提交
  2. 16 8月, 2023 1 次提交
  3. 15 8月, 2023 8 次提交
  4. 14 8月, 2023 22 次提交
  5. 10 8月, 2023 1 次提交
    • L
      xfrm: add NULL check in xfrm_update_ae_params · 73f660ad
      Lin Ma 提交于
      mainline inclusion
      from mainline-v6.5-rc3
      commit 00374d9b6d9f932802b55181be9831aa948e5b7c
      category: bugfix
      bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7NYWN
      CVE: CVE-2023-3772
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=00374d9b6d9f932802b55181be9831aa948e5b7c
      
      --------------------------------
      
      Normally, x->replay_esn and x->preplay_esn should be allocated at
      xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the
      xfrm_update_ae_params(...) is okay to update them. However, the current
      implementation of xfrm_new_ae(...) allows a malicious user to directly
      dereference a NULL pointer and crash the kernel like below.
      
      BUG: kernel NULL pointer dereference, address: 0000000000000000
      PGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0
      Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI
      CPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774d #8
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4
      RIP: 0010:memcpy_orig+0xad/0x140
      Code: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c
      RSP: 0018:ffff888008f57658 EFLAGS: 00000202
      RAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571
      RDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000
      RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818
      R13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000
      FS:  00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0
      Call Trace:
       <TASK>
       ? __die+0x1f/0x70
       ? page_fault_oops+0x1e8/0x500
       ? __pfx_is_prefetch.constprop.0+0x10/0x10
       ? __pfx_page_fault_oops+0x10/0x10
       ? _raw_spin_unlock_irqrestore+0x11/0x40
       ? fixup_exception+0x36/0x460
       ? _raw_spin_unlock_irqrestore+0x11/0x40
       ? exc_page_fault+0x5e/0xc0
       ? asm_exc_page_fault+0x26/0x30
       ? xfrm_update_ae_params+0xd1/0x260
       ? memcpy_orig+0xad/0x140
       ? __pfx__raw_spin_lock_bh+0x10/0x10
       xfrm_update_ae_params+0xe7/0x260
       xfrm_new_ae+0x298/0x4e0
       ? __pfx_xfrm_new_ae+0x10/0x10
       ? __pfx_xfrm_new_ae+0x10/0x10
       xfrm_user_rcv_msg+0x25a/0x410
       ? __pfx_xfrm_user_rcv_msg+0x10/0x10
       ? __alloc_skb+0xcf/0x210
       ? stack_trace_save+0x90/0xd0
       ? filter_irq_stacks+0x1c/0x70
       ? __stack_depot_save+0x39/0x4e0
       ? __kasan_slab_free+0x10a/0x190
       ? kmem_cache_free+0x9c/0x340
       ? netlink_recvmsg+0x23c/0x660
       ? sock_recvmsg+0xeb/0xf0
       ? __sys_recvfrom+0x13c/0x1f0
       ? __x64_sys_recvfrom+0x71/0x90
       ? do_syscall_64+0x3f/0x90
       ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
       ? copyout+0x3e/0x50
       netlink_rcv_skb+0xd6/0x210
       ? __pfx_xfrm_user_rcv_msg+0x10/0x10
       ? __pfx_netlink_rcv_skb+0x10/0x10
       ? __pfx_sock_has_perm+0x10/0x10
       ? mutex_lock+0x8d/0xe0
       ? __pfx_mutex_lock+0x10/0x10
       xfrm_netlink_rcv+0x44/0x50
       netlink_unicast+0x36f/0x4c0
       ? __pfx_netlink_unicast+0x10/0x10
       ? netlink_recvmsg+0x500/0x660
       netlink_sendmsg+0x3b7/0x700
      
      This Null-ptr-deref bug is assigned CVE-2023-3772. And this commit
      adds additional NULL check in xfrm_update_ae_params to fix the NPD.
      
      Fixes: d8647b79 ("xfrm: Add user interface for esn and big anti-replay windows")
      Signed-off-by: NLin Ma <linma@zju.edu.cn>
      Reviewed-by: NLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      
      Conflicts:
      	net/xfrm/xfrm_user.c
      Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com>
      (cherry picked from commit 5bfbef90)
      73f660ad
  6. 09 8月, 2023 2 次提交