diff mbox series

[v2] xfrm: add NULL check in xfrm_update_ae_params

Message ID 20230721145103.2714073-1-linma@zju.edu.cn (mailing list archive)
State Awaiting Upstream
Delegated to: Netdev Maintainers
Headers show
Series [v2] xfrm: add NULL check in xfrm_update_ae_params | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1357 this patch: 1357
netdev/cc_maintainers success CCed 7 of 7 maintainers
netdev/build_clang success Errors and warnings before: 1365 this patch: 1365
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 1380 this patch: 1380
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Lin Ma July 21, 2023, 2:51 p.m. UTC
Normally, x->replay_esn and x->preplay_esn should be allocated at
xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the
xfrm_update_ae_params(...) is okay to update them. However, the current
implementation of xfrm_new_ae(...) allows a malicious user to directly
dereference a NULL pointer and crash the kernel like below.

BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0
Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774deaf1 #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4
RIP: 0010:memcpy_orig+0xad/0x140
Code: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c
RSP: 0018:ffff888008f57658 EFLAGS: 00000202
RAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571
RDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818
R13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000
FS:  00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0
Call Trace:
 <TASK>
 ? __die+0x1f/0x70
 ? page_fault_oops+0x1e8/0x500
 ? __pfx_is_prefetch.constprop.0+0x10/0x10
 ? __pfx_page_fault_oops+0x10/0x10
 ? _raw_spin_unlock_irqrestore+0x11/0x40
 ? fixup_exception+0x36/0x460
 ? _raw_spin_unlock_irqrestore+0x11/0x40
 ? exc_page_fault+0x5e/0xc0
 ? asm_exc_page_fault+0x26/0x30
 ? xfrm_update_ae_params+0xd1/0x260
 ? memcpy_orig+0xad/0x140
 ? __pfx__raw_spin_lock_bh+0x10/0x10
 xfrm_update_ae_params+0xe7/0x260
 xfrm_new_ae+0x298/0x4e0
 ? __pfx_xfrm_new_ae+0x10/0x10
 ? __pfx_xfrm_new_ae+0x10/0x10
 xfrm_user_rcv_msg+0x25a/0x410
 ? __pfx_xfrm_user_rcv_msg+0x10/0x10
 ? __alloc_skb+0xcf/0x210
 ? stack_trace_save+0x90/0xd0
 ? filter_irq_stacks+0x1c/0x70
 ? __stack_depot_save+0x39/0x4e0
 ? __kasan_slab_free+0x10a/0x190
 ? kmem_cache_free+0x9c/0x340
 ? netlink_recvmsg+0x23c/0x660
 ? sock_recvmsg+0xeb/0xf0
 ? __sys_recvfrom+0x13c/0x1f0
 ? __x64_sys_recvfrom+0x71/0x90
 ? do_syscall_64+0x3f/0x90
 ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
 ? copyout+0x3e/0x50
 netlink_rcv_skb+0xd6/0x210
 ? __pfx_xfrm_user_rcv_msg+0x10/0x10
 ? __pfx_netlink_rcv_skb+0x10/0x10
 ? __pfx_sock_has_perm+0x10/0x10
 ? mutex_lock+0x8d/0xe0
 ? __pfx_mutex_lock+0x10/0x10
 xfrm_netlink_rcv+0x44/0x50
 netlink_unicast+0x36f/0x4c0
 ? __pfx_netlink_unicast+0x10/0x10
 ? netlink_recvmsg+0x500/0x660
 netlink_sendmsg+0x3b7/0x700

This Null-ptr-deref bug is assigned CVE-2023-3772. And this commit
adds additional NULL check in xfrm_update_ae_params to fix the NPD.

Fixes: d8647b79c3b7 ("xfrm: Add user interface for esn and big anti-replay windows")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
---
V1 -> V2: fix some typos: impelementation -> implementation,
          frm_update_ae_params -> xfrm_update_ae_params

 net/xfrm/xfrm_user.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Leon Romanovsky July 24, 2023, 11:30 a.m. UTC | #1
On Fri, Jul 21, 2023 at 10:51:03PM +0800, Lin Ma wrote:
> Normally, x->replay_esn and x->preplay_esn should be allocated at
> xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the
> xfrm_update_ae_params(...) is okay to update them. However, the current
> implementation of xfrm_new_ae(...) allows a malicious user to directly
> dereference a NULL pointer and crash the kernel like below.
> 
> BUG: kernel NULL pointer dereference, address: 0000000000000000
> PGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0
> Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI
> CPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774deaf1 #8
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4
> RIP: 0010:memcpy_orig+0xad/0x140
> Code: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c
> RSP: 0018:ffff888008f57658 EFLAGS: 00000202
> RAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571
> RDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818
> R13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000
> FS:  00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0
> Call Trace:
>  <TASK>
>  ? __die+0x1f/0x70
>  ? page_fault_oops+0x1e8/0x500
>  ? __pfx_is_prefetch.constprop.0+0x10/0x10
>  ? __pfx_page_fault_oops+0x10/0x10
>  ? _raw_spin_unlock_irqrestore+0x11/0x40
>  ? fixup_exception+0x36/0x460
>  ? _raw_spin_unlock_irqrestore+0x11/0x40
>  ? exc_page_fault+0x5e/0xc0
>  ? asm_exc_page_fault+0x26/0x30
>  ? xfrm_update_ae_params+0xd1/0x260
>  ? memcpy_orig+0xad/0x140
>  ? __pfx__raw_spin_lock_bh+0x10/0x10
>  xfrm_update_ae_params+0xe7/0x260
>  xfrm_new_ae+0x298/0x4e0
>  ? __pfx_xfrm_new_ae+0x10/0x10
>  ? __pfx_xfrm_new_ae+0x10/0x10
>  xfrm_user_rcv_msg+0x25a/0x410
>  ? __pfx_xfrm_user_rcv_msg+0x10/0x10
>  ? __alloc_skb+0xcf/0x210
>  ? stack_trace_save+0x90/0xd0
>  ? filter_irq_stacks+0x1c/0x70
>  ? __stack_depot_save+0x39/0x4e0
>  ? __kasan_slab_free+0x10a/0x190
>  ? kmem_cache_free+0x9c/0x340
>  ? netlink_recvmsg+0x23c/0x660
>  ? sock_recvmsg+0xeb/0xf0
>  ? __sys_recvfrom+0x13c/0x1f0
>  ? __x64_sys_recvfrom+0x71/0x90
>  ? do_syscall_64+0x3f/0x90
>  ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
>  ? copyout+0x3e/0x50
>  netlink_rcv_skb+0xd6/0x210
>  ? __pfx_xfrm_user_rcv_msg+0x10/0x10
>  ? __pfx_netlink_rcv_skb+0x10/0x10
>  ? __pfx_sock_has_perm+0x10/0x10
>  ? mutex_lock+0x8d/0xe0
>  ? __pfx_mutex_lock+0x10/0x10
>  xfrm_netlink_rcv+0x44/0x50
>  netlink_unicast+0x36f/0x4c0
>  ? __pfx_netlink_unicast+0x10/0x10
>  ? netlink_recvmsg+0x500/0x660
>  netlink_sendmsg+0x3b7/0x700
> 
> This Null-ptr-deref bug is assigned CVE-2023-3772. And this commit
> adds additional NULL check in xfrm_update_ae_params to fix the NPD.
> 
> Fixes: d8647b79c3b7 ("xfrm: Add user interface for esn and big anti-replay windows")
> Signed-off-by: Lin Ma <linma@zju.edu.cn>
> ---
> V1 -> V2: fix some typos: impelementation -> implementation,
>           frm_update_ae_params -> xfrm_update_ae_params
> 
>  net/xfrm/xfrm_user.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
> index c34a2a06ca94..bf2564967501 100644
> --- a/net/xfrm/xfrm_user.c
> +++ b/net/xfrm/xfrm_user.c
> @@ -628,7 +628,7 @@ static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs,
>  	struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
>  	struct nlattr *mt = attrs[XFRMA_MTIMER_THRESH];
>  
> -	if (re) {
> +	if (re && x->replay_esn && x->preplay_esn) {

If x->replay_esn is valid, x->preplay_esn will be valid too.

Thanks,
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Steffen Klassert Aug. 1, 2023, 9:59 a.m. UTC | #2
On Fri, Jul 21, 2023 at 10:51:03PM +0800, Lin Ma wrote:
> Normally, x->replay_esn and x->preplay_esn should be allocated at
> xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the
> xfrm_update_ae_params(...) is okay to update them. However, the current
> implementation of xfrm_new_ae(...) allows a malicious user to directly
> dereference a NULL pointer and crash the kernel like below.

...

> This Null-ptr-deref bug is assigned CVE-2023-3772. And this commit
> adds additional NULL check in xfrm_update_ae_params to fix the NPD.
> 
> Fixes: d8647b79c3b7 ("xfrm: Add user interface for esn and big anti-replay windows")
> Signed-off-by: Lin Ma <linma@zju.edu.cn>

Applied, thanks a lot!
diff mbox series

Patch

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index c34a2a06ca94..bf2564967501 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -628,7 +628,7 @@  static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs,
 	struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
 	struct nlattr *mt = attrs[XFRMA_MTIMER_THRESH];
 
-	if (re) {
+	if (re && x->replay_esn && x->preplay_esn) {
 		struct xfrm_replay_state_esn *replay_esn;
 		replay_esn = nla_data(re);
 		memcpy(x->replay_esn, replay_esn,