diff mbox series

[v1] net: xfrm: Fix xfrm_address_filter OOB read

Message ID 20230625092855.207918-1-linma@zju.edu.cn (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series [v1] net: xfrm: Fix xfrm_address_filter OOB read | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 23 this patch: 23
netdev/cc_maintainers fail 1 blamed authors not CCed: nicolas.dichtel@6wind.com; 1 maintainers not CCed: nicolas.dichtel@6wind.com
netdev/build_clang success Errors and warnings before: 8 this patch: 8
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 23 this patch: 23
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 10 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Lin Ma June 25, 2023, 9:28 a.m. UTC
We found below OOB crash:

[   44.211730] ==================================================================
[   44.212045] BUG: KASAN: slab-out-of-bounds in memcmp+0x8b/0xb0
[   44.212045] Read of size 8 at addr ffff88800870f320 by task poc.xfrm/97
[   44.212045]
[   44.212045] CPU: 0 PID: 97 Comm: poc.xfrm Not tainted 6.4.0-rc7-00072-gdad9774deaf1-dirty #4
[   44.212045] Call Trace:
[   44.212045]  <TASK>
[   44.212045]  dump_stack_lvl+0x37/0x50
[   44.212045]  print_report+0xcc/0x620
[   44.212045]  ? __virt_addr_valid+0xf3/0x170
[   44.212045]  ? memcmp+0x8b/0xb0
[   44.212045]  kasan_report+0xb2/0xe0
[   44.212045]  ? memcmp+0x8b/0xb0
[   44.212045]  kasan_check_range+0x39/0x1c0
[   44.212045]  memcmp+0x8b/0xb0
[   44.212045]  xfrm_state_walk+0x21c/0x420
[   44.212045]  ? __pfx_dump_one_state+0x10/0x10
[   44.212045]  xfrm_dump_sa+0x1e2/0x290
[   44.212045]  ? __pfx_xfrm_dump_sa+0x10/0x10
[   44.212045]  ? __kernel_text_address+0xd/0x40
[   44.212045]  ? kasan_unpoison+0x27/0x60
[   44.212045]  ? mutex_lock+0x60/0xe0
[   44.212045]  ? __pfx_mutex_lock+0x10/0x10
[   44.212045]  ? kasan_save_stack+0x22/0x50
[   44.212045]  netlink_dump+0x322/0x6c0
[   44.212045]  ? __pfx_netlink_dump+0x10/0x10
[   44.212045]  ? mutex_unlock+0x7f/0xd0
[   44.212045]  ? __pfx_mutex_unlock+0x10/0x10
[   44.212045]  __netlink_dump_start+0x353/0x430
[   44.212045]  xfrm_user_rcv_msg+0x3a4/0x410
[   44.212045]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[   44.212045]  ? __pfx_xfrm_user_rcv_msg+0x10/0x10
[   44.212045]  ? __pfx_xfrm_dump_sa+0x10/0x10
[   44.212045]  ? __pfx_xfrm_dump_sa_done+0x10/0x10
[   44.212045]  ? __stack_depot_save+0x382/0x4e0
[   44.212045]  ? filter_irq_stacks+0x1c/0x70
[   44.212045]  ? kasan_save_stack+0x32/0x50
[   44.212045]  ? kasan_save_stack+0x22/0x50
[   44.212045]  ? kasan_set_track+0x25/0x30
[   44.212045]  ? __kasan_slab_alloc+0x59/0x70
[   44.212045]  ? kmem_cache_alloc_node+0xf7/0x260
[   44.212045]  ? kmalloc_reserve+0xab/0x120
[   44.212045]  ? __alloc_skb+0xcf/0x210
[   44.212045]  ? netlink_sendmsg+0x509/0x700
[   44.212045]  ? sock_sendmsg+0xde/0xe0
[   44.212045]  ? __sys_sendto+0x18d/0x230
[   44.212045]  ? __x64_sys_sendto+0x71/0x90
[   44.212045]  ? do_syscall_64+0x3f/0x90
[   44.212045]  ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
[   44.212045]  ? netlink_sendmsg+0x509/0x700
[   44.212045]  ? sock_sendmsg+0xde/0xe0
[   44.212045]  ? __sys_sendto+0x18d/0x230
[   44.212045]  ? __x64_sys_sendto+0x71/0x90
[   44.212045]  ? do_syscall_64+0x3f/0x90
[   44.212045]  ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
[   44.212045]  ? kasan_save_stack+0x22/0x50
[   44.212045]  ? kasan_set_track+0x25/0x30
[   44.212045]  ? kasan_save_free_info+0x2e/0x50
[   44.212045]  ? __kasan_slab_free+0x10a/0x190
[   44.212045]  ? kmem_cache_free+0x9c/0x340
[   44.212045]  ? netlink_recvmsg+0x23c/0x660
[   44.212045]  ? sock_recvmsg+0xeb/0xf0
[   44.212045]  ? __sys_recvfrom+0x13c/0x1f0
[   44.212045]  ? __x64_sys_recvfrom+0x71/0x90
[   44.212045]  ? do_syscall_64+0x3f/0x90
[   44.212045]  ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
[   44.212045]  ? copyout+0x3e/0x50
[   44.212045]  netlink_rcv_skb+0xd6/0x210
[   44.212045]  ? __pfx_xfrm_user_rcv_msg+0x10/0x10
[   44.212045]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   44.212045]  ? __pfx_sock_has_perm+0x10/0x10
[   44.212045]  ? mutex_lock+0x8d/0xe0
[   44.212045]  ? __pfx_mutex_lock+0x10/0x10
[   44.212045]  xfrm_netlink_rcv+0x44/0x50
[   44.212045]  netlink_unicast+0x36f/0x4c0
[   44.212045]  ? __pfx_netlink_unicast+0x10/0x10
[   44.212045]  ? netlink_recvmsg+0x500/0x660
[   44.212045]  netlink_sendmsg+0x3b7/0x700
[   44.212045]  ? __pfx_netlink_sendmsg+0x10/0x10
[   44.212045]  ? __pfx_netlink_sendmsg+0x10/0x10
[   44.212045]  sock_sendmsg+0xde/0xe0
[   44.212045]  __sys_sendto+0x18d/0x230
[   44.212045]  ? __pfx___sys_sendto+0x10/0x10
[   44.212045]  ? rcu_core+0x44a/0xe10
[   44.212045]  ? __rseq_handle_notify_resume+0x45b/0x740
[   44.212045]  ? _raw_spin_lock_irq+0x81/0xe0
[   44.212045]  ? __pfx___rseq_handle_notify_resume+0x10/0x10
[   44.212045]  ? __pfx_restore_fpregs_from_fpstate+0x10/0x10
[   44.212045]  ? __pfx_blkcg_maybe_throttle_current+0x10/0x10
[   44.212045]  ? __pfx_task_work_run+0x10/0x10
[   44.212045]  __x64_sys_sendto+0x71/0x90
[   44.212045]  do_syscall_64+0x3f/0x90
[   44.212045]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
[   44.212045] RIP: 0033:0x44b7da
[   44.212045] RSP: 002b:00007ffdc8838548 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   44.212045] RAX: ffffffffffffffda RBX: 00007ffdc8839978 RCX: 000000000044b7da
[   44.212045] RDX: 0000000000000038 RSI: 00007ffdc8838770 RDI: 0000000000000003
[   44.212045] RBP: 00007ffdc88385b0 R08: 00007ffdc883858c R09: 000000000000000c
[   44.212045] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   44.212045] R13: 00007ffdc8839968 R14: 00000000004c37d0 R15: 0000000000000001
[   44.212045]  </TASK>
[   44.212045]
[   44.212045] Allocated by task 97:
[   44.212045]  kasan_save_stack+0x22/0x50
[   44.212045]  kasan_set_track+0x25/0x30
[   44.212045]  __kasan_kmalloc+0x7f/0x90
[   44.212045]  __kmalloc_node_track_caller+0x5b/0x140
[   44.212045]  kmemdup+0x21/0x50
[   44.212045]  xfrm_dump_sa+0x17d/0x290
[   44.212045]  netlink_dump+0x322/0x6c0
[   44.212045]  __netlink_dump_start+0x353/0x430
[   44.212045]  xfrm_user_rcv_msg+0x3a4/0x410
[   44.212045]  netlink_rcv_skb+0xd6/0x210
[   44.212045]  xfrm_netlink_rcv+0x44/0x50
[   44.212045]  netlink_unicast+0x36f/0x4c0
[   44.212045]  netlink_sendmsg+0x3b7/0x700
[   44.212045]  sock_sendmsg+0xde/0xe0
[   44.212045]  __sys_sendto+0x18d/0x230
[   44.212045]  __x64_sys_sendto+0x71/0x90
[   44.212045]  do_syscall_64+0x3f/0x90
[   44.212045]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
[   44.212045]
[   44.212045] The buggy address belongs to the object at ffff88800870f300
[   44.212045]  which belongs to the cache kmalloc-64 of size 64
[   44.212045] The buggy address is located 32 bytes inside of
[   44.212045]  allocated 36-byte region [ffff88800870f300, ffff88800870f324)
[   44.212045]
[   44.212045] The buggy address belongs to the physical page:
[   44.212045] page:00000000e4de16ee refcount:1 mapcount:0 mapping:000000000 ...
[   44.212045] flags: 0x100000000000200(slab|node=0|zone=1)
[   44.212045] page_type: 0xffffffff()
[   44.212045] raw: 0100000000000200 ffff888004c41640 dead000000000122 0000000000000000
[   44.212045] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[   44.212045] page dumped because: kasan: bad access detected
[   44.212045]
[   44.212045] Memory state around the buggy address:
[   44.212045]  ffff88800870f200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   44.212045]  ffff88800870f280: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[   44.212045] >ffff88800870f300: 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc
[   44.212045]                                ^
[   44.212045]  ffff88800870f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   44.212045]  ffff88800870f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   44.212045] ==================================================================

By investigating the code, we find the root cause of this OOB is the lack
of checks in xfrm_dump_sa(). The buggy code allows a malicious user to pass
arbitrary value of filter->splen/dplen. Hence, with crafted xfrm states,
the attacker can achieve 8 bytes heap OOB read, which causes info leak.

  if (attrs[XFRMA_ADDRESS_FILTER]) {
    filter = kmemdup(nla_data(attrs[XFRMA_ADDRESS_FILTER]),
        sizeof(*filter), GFP_KERNEL);
    if (filter == NULL)
      return -ENOMEM;
    // NO MORE CHECKS HERE !!!
  }

This patch fixes the OOB by adding necessary boundary checks, just like
the code in pfkey_dump() function.

Fixes: d3623099d350 ("ipsec: add support of limited SA dump")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
---
 net/xfrm/xfrm_user.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Simon Horman June 25, 2023, 12:16 p.m. UTC | #1
On Sun, Jun 25, 2023 at 05:28:55PM +0800, Lin Ma wrote:
> We found below OOB crash:
> 
> [   44.211730] ==================================================================
> [   44.212045] BUG: KASAN: slab-out-of-bounds in memcmp+0x8b/0xb0
> [   44.212045] Read of size 8 at addr ffff88800870f320 by task poc.xfrm/97
> [   44.212045]
> [   44.212045] CPU: 0 PID: 97 Comm: poc.xfrm Not tainted 6.4.0-rc7-00072-gdad9774deaf1-dirty #4
> [   44.212045] Call Trace:
> [   44.212045]  <TASK>
> [   44.212045]  dump_stack_lvl+0x37/0x50
> [   44.212045]  print_report+0xcc/0x620
> [   44.212045]  ? __virt_addr_valid+0xf3/0x170
> [   44.212045]  ? memcmp+0x8b/0xb0
> [   44.212045]  kasan_report+0xb2/0xe0
> [   44.212045]  ? memcmp+0x8b/0xb0
> [   44.212045]  kasan_check_range+0x39/0x1c0
> [   44.212045]  memcmp+0x8b/0xb0
> [   44.212045]  xfrm_state_walk+0x21c/0x420
> [   44.212045]  ? __pfx_dump_one_state+0x10/0x10
> [   44.212045]  xfrm_dump_sa+0x1e2/0x290
> [   44.212045]  ? __pfx_xfrm_dump_sa+0x10/0x10
> [   44.212045]  ? __kernel_text_address+0xd/0x40
> [   44.212045]  ? kasan_unpoison+0x27/0x60
> [   44.212045]  ? mutex_lock+0x60/0xe0
> [   44.212045]  ? __pfx_mutex_lock+0x10/0x10
> [   44.212045]  ? kasan_save_stack+0x22/0x50
> [   44.212045]  netlink_dump+0x322/0x6c0
> [   44.212045]  ? __pfx_netlink_dump+0x10/0x10
> [   44.212045]  ? mutex_unlock+0x7f/0xd0
> [   44.212045]  ? __pfx_mutex_unlock+0x10/0x10
> [   44.212045]  __netlink_dump_start+0x353/0x430
> [   44.212045]  xfrm_user_rcv_msg+0x3a4/0x410
> [   44.212045]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
> [   44.212045]  ? __pfx_xfrm_user_rcv_msg+0x10/0x10
> [   44.212045]  ? __pfx_xfrm_dump_sa+0x10/0x10
> [   44.212045]  ? __pfx_xfrm_dump_sa_done+0x10/0x10
> [   44.212045]  ? __stack_depot_save+0x382/0x4e0
> [   44.212045]  ? filter_irq_stacks+0x1c/0x70
> [   44.212045]  ? kasan_save_stack+0x32/0x50
> [   44.212045]  ? kasan_save_stack+0x22/0x50
> [   44.212045]  ? kasan_set_track+0x25/0x30
> [   44.212045]  ? __kasan_slab_alloc+0x59/0x70
> [   44.212045]  ? kmem_cache_alloc_node+0xf7/0x260
> [   44.212045]  ? kmalloc_reserve+0xab/0x120
> [   44.212045]  ? __alloc_skb+0xcf/0x210
> [   44.212045]  ? netlink_sendmsg+0x509/0x700
> [   44.212045]  ? sock_sendmsg+0xde/0xe0
> [   44.212045]  ? __sys_sendto+0x18d/0x230
> [   44.212045]  ? __x64_sys_sendto+0x71/0x90
> [   44.212045]  ? do_syscall_64+0x3f/0x90
> [   44.212045]  ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
> [   44.212045]  ? netlink_sendmsg+0x509/0x700
> [   44.212045]  ? sock_sendmsg+0xde/0xe0
> [   44.212045]  ? __sys_sendto+0x18d/0x230
> [   44.212045]  ? __x64_sys_sendto+0x71/0x90
> [   44.212045]  ? do_syscall_64+0x3f/0x90
> [   44.212045]  ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
> [   44.212045]  ? kasan_save_stack+0x22/0x50
> [   44.212045]  ? kasan_set_track+0x25/0x30
> [   44.212045]  ? kasan_save_free_info+0x2e/0x50
> [   44.212045]  ? __kasan_slab_free+0x10a/0x190
> [   44.212045]  ? kmem_cache_free+0x9c/0x340
> [   44.212045]  ? netlink_recvmsg+0x23c/0x660
> [   44.212045]  ? sock_recvmsg+0xeb/0xf0
> [   44.212045]  ? __sys_recvfrom+0x13c/0x1f0
> [   44.212045]  ? __x64_sys_recvfrom+0x71/0x90
> [   44.212045]  ? do_syscall_64+0x3f/0x90
> [   44.212045]  ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
> [   44.212045]  ? copyout+0x3e/0x50
> [   44.212045]  netlink_rcv_skb+0xd6/0x210
> [   44.212045]  ? __pfx_xfrm_user_rcv_msg+0x10/0x10
> [   44.212045]  ? __pfx_netlink_rcv_skb+0x10/0x10
> [   44.212045]  ? __pfx_sock_has_perm+0x10/0x10
> [   44.212045]  ? mutex_lock+0x8d/0xe0
> [   44.212045]  ? __pfx_mutex_lock+0x10/0x10
> [   44.212045]  xfrm_netlink_rcv+0x44/0x50
> [   44.212045]  netlink_unicast+0x36f/0x4c0
> [   44.212045]  ? __pfx_netlink_unicast+0x10/0x10
> [   44.212045]  ? netlink_recvmsg+0x500/0x660
> [   44.212045]  netlink_sendmsg+0x3b7/0x700
> [   44.212045]  ? __pfx_netlink_sendmsg+0x10/0x10
> [   44.212045]  ? __pfx_netlink_sendmsg+0x10/0x10
> [   44.212045]  sock_sendmsg+0xde/0xe0
> [   44.212045]  __sys_sendto+0x18d/0x230
> [   44.212045]  ? __pfx___sys_sendto+0x10/0x10
> [   44.212045]  ? rcu_core+0x44a/0xe10
> [   44.212045]  ? __rseq_handle_notify_resume+0x45b/0x740
> [   44.212045]  ? _raw_spin_lock_irq+0x81/0xe0
> [   44.212045]  ? __pfx___rseq_handle_notify_resume+0x10/0x10
> [   44.212045]  ? __pfx_restore_fpregs_from_fpstate+0x10/0x10
> [   44.212045]  ? __pfx_blkcg_maybe_throttle_current+0x10/0x10
> [   44.212045]  ? __pfx_task_work_run+0x10/0x10
> [   44.212045]  __x64_sys_sendto+0x71/0x90
> [   44.212045]  do_syscall_64+0x3f/0x90
> [   44.212045]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
> [   44.212045] RIP: 0033:0x44b7da
> [   44.212045] RSP: 002b:00007ffdc8838548 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
> [   44.212045] RAX: ffffffffffffffda RBX: 00007ffdc8839978 RCX: 000000000044b7da
> [   44.212045] RDX: 0000000000000038 RSI: 00007ffdc8838770 RDI: 0000000000000003
> [   44.212045] RBP: 00007ffdc88385b0 R08: 00007ffdc883858c R09: 000000000000000c
> [   44.212045] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
> [   44.212045] R13: 00007ffdc8839968 R14: 00000000004c37d0 R15: 0000000000000001
> [   44.212045]  </TASK>
> [   44.212045]
> [   44.212045] Allocated by task 97:
> [   44.212045]  kasan_save_stack+0x22/0x50
> [   44.212045]  kasan_set_track+0x25/0x30
> [   44.212045]  __kasan_kmalloc+0x7f/0x90
> [   44.212045]  __kmalloc_node_track_caller+0x5b/0x140
> [   44.212045]  kmemdup+0x21/0x50
> [   44.212045]  xfrm_dump_sa+0x17d/0x290
> [   44.212045]  netlink_dump+0x322/0x6c0
> [   44.212045]  __netlink_dump_start+0x353/0x430
> [   44.212045]  xfrm_user_rcv_msg+0x3a4/0x410
> [   44.212045]  netlink_rcv_skb+0xd6/0x210
> [   44.212045]  xfrm_netlink_rcv+0x44/0x50
> [   44.212045]  netlink_unicast+0x36f/0x4c0
> [   44.212045]  netlink_sendmsg+0x3b7/0x700
> [   44.212045]  sock_sendmsg+0xde/0xe0
> [   44.212045]  __sys_sendto+0x18d/0x230
> [   44.212045]  __x64_sys_sendto+0x71/0x90
> [   44.212045]  do_syscall_64+0x3f/0x90
> [   44.212045]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
> [   44.212045]
> [   44.212045] The buggy address belongs to the object at ffff88800870f300
> [   44.212045]  which belongs to the cache kmalloc-64 of size 64
> [   44.212045] The buggy address is located 32 bytes inside of
> [   44.212045]  allocated 36-byte region [ffff88800870f300, ffff88800870f324)
> [   44.212045]
> [   44.212045] The buggy address belongs to the physical page:
> [   44.212045] page:00000000e4de16ee refcount:1 mapcount:0 mapping:000000000 ...
> [   44.212045] flags: 0x100000000000200(slab|node=0|zone=1)
> [   44.212045] page_type: 0xffffffff()
> [   44.212045] raw: 0100000000000200 ffff888004c41640 dead000000000122 0000000000000000
> [   44.212045] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
> [   44.212045] page dumped because: kasan: bad access detected
> [   44.212045]
> [   44.212045] Memory state around the buggy address:
> [   44.212045]  ffff88800870f200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> [   44.212045]  ffff88800870f280: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
> [   44.212045] >ffff88800870f300: 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc
> [   44.212045]                                ^
> [   44.212045]  ffff88800870f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [   44.212045]  ffff88800870f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [   44.212045] ==================================================================
> 
> By investigating the code, we find the root cause of this OOB is the lack
> of checks in xfrm_dump_sa(). The buggy code allows a malicious user to pass
> arbitrary value of filter->splen/dplen. Hence, with crafted xfrm states,
> the attacker can achieve 8 bytes heap OOB read, which causes info leak.
> 
>   if (attrs[XFRMA_ADDRESS_FILTER]) {
>     filter = kmemdup(nla_data(attrs[XFRMA_ADDRESS_FILTER]),
>         sizeof(*filter), GFP_KERNEL);
>     if (filter == NULL)
>       return -ENOMEM;
>     // NO MORE CHECKS HERE !!!
>   }
> 
> This patch fixes the OOB by adding necessary boundary checks, just like
> the code in pfkey_dump() function.
> 
> Fixes: d3623099d350 ("ipsec: add support of limited SA dump")
> Signed-off-by: Lin Ma <linma@zju.edu.cn>
> ---
>  net/xfrm/xfrm_user.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
> index c34a2a06ca94..a73ae4ad8096 100644
> --- a/net/xfrm/xfrm_user.c
> +++ b/net/xfrm/xfrm_user.c
> @@ -1267,6 +1267,10 @@ static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb)
>  					 sizeof(*filter), GFP_KERNEL);
>  			if (filter == NULL)
>  				return -ENOMEM;
> +
> +			if (filter->splen >= (sizeof(xfrm_address_t) << 3) ||
> +			    filter->dplen >= (sizeof(xfrm_address_t) << 3))
> +				return -EINVAL;

Hi Lin Ma,

It appears that the memory allocation for filter is leaked if the
new condition above is met.

>  		}
>  
>  		if (attrs[XFRMA_PROTO])
> -- 
> 2.17.1
> 
>
diff mbox series

Patch

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index c34a2a06ca94..a73ae4ad8096 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1267,6 +1267,10 @@  static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb)
 					 sizeof(*filter), GFP_KERNEL);
 			if (filter == NULL)
 				return -ENOMEM;
+
+			if (filter->splen >= (sizeof(xfrm_address_t) << 3) ||
+			    filter->dplen >= (sizeof(xfrm_address_t) << 3))
+				return -EINVAL;
 		}
 
 		if (attrs[XFRMA_PROTO])