Message ID | 20230721145103.2714073-1-linma@zju.edu.cn (mailing list archive) |
---|---|
State | Awaiting Upstream |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [v2] xfrm: add NULL check in xfrm_update_ae_params | expand |
On Fri, Jul 21, 2023 at 10:51:03PM +0800, Lin Ma wrote: > Normally, x->replay_esn and x->preplay_esn should be allocated at > xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the > xfrm_update_ae_params(...) is okay to update them. However, the current > implementation of xfrm_new_ae(...) allows a malicious user to directly > dereference a NULL pointer and crash the kernel like below. > > BUG: kernel NULL pointer dereference, address: 0000000000000000 > PGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0 > Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI > CPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774deaf1 #8 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4 > RIP: 0010:memcpy_orig+0xad/0x140 > Code: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c > RSP: 0018:ffff888008f57658 EFLAGS: 00000202 > RAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571 > RDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000 > RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818 > R13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000 > FS: 00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0 > Call Trace: > <TASK> > ? __die+0x1f/0x70 > ? page_fault_oops+0x1e8/0x500 > ? __pfx_is_prefetch.constprop.0+0x10/0x10 > ? __pfx_page_fault_oops+0x10/0x10 > ? _raw_spin_unlock_irqrestore+0x11/0x40 > ? fixup_exception+0x36/0x460 > ? _raw_spin_unlock_irqrestore+0x11/0x40 > ? exc_page_fault+0x5e/0xc0 > ? asm_exc_page_fault+0x26/0x30 > ? xfrm_update_ae_params+0xd1/0x260 > ? memcpy_orig+0xad/0x140 > ? __pfx__raw_spin_lock_bh+0x10/0x10 > xfrm_update_ae_params+0xe7/0x260 > xfrm_new_ae+0x298/0x4e0 > ? __pfx_xfrm_new_ae+0x10/0x10 > ? __pfx_xfrm_new_ae+0x10/0x10 > xfrm_user_rcv_msg+0x25a/0x410 > ? __pfx_xfrm_user_rcv_msg+0x10/0x10 > ? __alloc_skb+0xcf/0x210 > ? stack_trace_save+0x90/0xd0 > ? filter_irq_stacks+0x1c/0x70 > ? __stack_depot_save+0x39/0x4e0 > ? __kasan_slab_free+0x10a/0x190 > ? kmem_cache_free+0x9c/0x340 > ? netlink_recvmsg+0x23c/0x660 > ? sock_recvmsg+0xeb/0xf0 > ? __sys_recvfrom+0x13c/0x1f0 > ? __x64_sys_recvfrom+0x71/0x90 > ? do_syscall_64+0x3f/0x90 > ? entry_SYSCALL_64_after_hwframe+0x72/0xdc > ? copyout+0x3e/0x50 > netlink_rcv_skb+0xd6/0x210 > ? __pfx_xfrm_user_rcv_msg+0x10/0x10 > ? __pfx_netlink_rcv_skb+0x10/0x10 > ? __pfx_sock_has_perm+0x10/0x10 > ? mutex_lock+0x8d/0xe0 > ? __pfx_mutex_lock+0x10/0x10 > xfrm_netlink_rcv+0x44/0x50 > netlink_unicast+0x36f/0x4c0 > ? __pfx_netlink_unicast+0x10/0x10 > ? netlink_recvmsg+0x500/0x660 > netlink_sendmsg+0x3b7/0x700 > > This Null-ptr-deref bug is assigned CVE-2023-3772. And this commit > adds additional NULL check in xfrm_update_ae_params to fix the NPD. > > Fixes: d8647b79c3b7 ("xfrm: Add user interface for esn and big anti-replay windows") > Signed-off-by: Lin Ma <linma@zju.edu.cn> > --- > V1 -> V2: fix some typos: impelementation -> implementation, > frm_update_ae_params -> xfrm_update_ae_params > > net/xfrm/xfrm_user.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c > index c34a2a06ca94..bf2564967501 100644 > --- a/net/xfrm/xfrm_user.c > +++ b/net/xfrm/xfrm_user.c > @@ -628,7 +628,7 @@ static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs, > struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH]; > struct nlattr *mt = attrs[XFRMA_MTIMER_THRESH]; > > - if (re) { > + if (re && x->replay_esn && x->preplay_esn) { If x->replay_esn is valid, x->preplay_esn will be valid too. Thanks, Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
On Fri, Jul 21, 2023 at 10:51:03PM +0800, Lin Ma wrote: > Normally, x->replay_esn and x->preplay_esn should be allocated at > xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the > xfrm_update_ae_params(...) is okay to update them. However, the current > implementation of xfrm_new_ae(...) allows a malicious user to directly > dereference a NULL pointer and crash the kernel like below. ... > This Null-ptr-deref bug is assigned CVE-2023-3772. And this commit > adds additional NULL check in xfrm_update_ae_params to fix the NPD. > > Fixes: d8647b79c3b7 ("xfrm: Add user interface for esn and big anti-replay windows") > Signed-off-by: Lin Ma <linma@zju.edu.cn> Applied, thanks a lot!
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index c34a2a06ca94..bf2564967501 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -628,7 +628,7 @@ static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs, struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH]; struct nlattr *mt = attrs[XFRMA_MTIMER_THRESH]; - if (re) { + if (re && x->replay_esn && x->preplay_esn) { struct xfrm_replay_state_esn *replay_esn; replay_esn = nla_data(re); memcpy(x->replay_esn, replay_esn,
Normally, x->replay_esn and x->preplay_esn should be allocated at xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the xfrm_update_ae_params(...) is okay to update them. However, the current implementation of xfrm_new_ae(...) allows a malicious user to directly dereference a NULL pointer and crash the kernel like below. BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0 Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774deaf1 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4 RIP: 0010:memcpy_orig+0xad/0x140 Code: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c RSP: 0018:ffff888008f57658 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571 RDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818 R13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000 FS: 00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0 Call Trace: <TASK> ? __die+0x1f/0x70 ? page_fault_oops+0x1e8/0x500 ? __pfx_is_prefetch.constprop.0+0x10/0x10 ? __pfx_page_fault_oops+0x10/0x10 ? _raw_spin_unlock_irqrestore+0x11/0x40 ? fixup_exception+0x36/0x460 ? _raw_spin_unlock_irqrestore+0x11/0x40 ? exc_page_fault+0x5e/0xc0 ? asm_exc_page_fault+0x26/0x30 ? xfrm_update_ae_params+0xd1/0x260 ? memcpy_orig+0xad/0x140 ? __pfx__raw_spin_lock_bh+0x10/0x10 xfrm_update_ae_params+0xe7/0x260 xfrm_new_ae+0x298/0x4e0 ? __pfx_xfrm_new_ae+0x10/0x10 ? __pfx_xfrm_new_ae+0x10/0x10 xfrm_user_rcv_msg+0x25a/0x410 ? __pfx_xfrm_user_rcv_msg+0x10/0x10 ? __alloc_skb+0xcf/0x210 ? stack_trace_save+0x90/0xd0 ? filter_irq_stacks+0x1c/0x70 ? __stack_depot_save+0x39/0x4e0 ? __kasan_slab_free+0x10a/0x190 ? kmem_cache_free+0x9c/0x340 ? netlink_recvmsg+0x23c/0x660 ? sock_recvmsg+0xeb/0xf0 ? __sys_recvfrom+0x13c/0x1f0 ? __x64_sys_recvfrom+0x71/0x90 ? do_syscall_64+0x3f/0x90 ? entry_SYSCALL_64_after_hwframe+0x72/0xdc ? copyout+0x3e/0x50 netlink_rcv_skb+0xd6/0x210 ? __pfx_xfrm_user_rcv_msg+0x10/0x10 ? __pfx_netlink_rcv_skb+0x10/0x10 ? __pfx_sock_has_perm+0x10/0x10 ? mutex_lock+0x8d/0xe0 ? __pfx_mutex_lock+0x10/0x10 xfrm_netlink_rcv+0x44/0x50 netlink_unicast+0x36f/0x4c0 ? __pfx_netlink_unicast+0x10/0x10 ? netlink_recvmsg+0x500/0x660 netlink_sendmsg+0x3b7/0x700 This Null-ptr-deref bug is assigned CVE-2023-3772. And this commit adds additional NULL check in xfrm_update_ae_params to fix the NPD. Fixes: d8647b79c3b7 ("xfrm: Add user interface for esn and big anti-replay windows") Signed-off-by: Lin Ma <linma@zju.edu.cn> --- V1 -> V2: fix some typos: impelementation -> implementation, frm_update_ae_params -> xfrm_update_ae_params net/xfrm/xfrm_user.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)