Message ID | 20230625092855.207918-1-linma@zju.edu.cn |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp6821508vqr; Sun, 25 Jun 2023 02:41:59 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4XAGX+9gjT+GPpufZlCj7rpj+TIAd3jDpgy6rI7cgfCpEgh5XOWB0psyZjbhAatBoMuMc4 X-Received: by 2002:a17:903:246:b0:1a6:d15f:3ce1 with SMTP id j6-20020a170903024600b001a6d15f3ce1mr5899558plh.34.1687686119332; Sun, 25 Jun 2023 02:41:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687686119; cv=none; d=google.com; s=arc-20160816; b=iZ/dKU4cZK3DgK0qCEf1S//mTA5K1LOp1BfXwVxo+23l15XV0xPlPCAvUysZNWB+Mf ReFAPHE7plp4ZwMauFOn45m2d6YcsGQztuidHJsq92Onk/CZ1hyGr7f8mzJXY3xvLpL+ kERNsF5hQ/tvK9NpVJt7/1qVo8+zPwZOb5Uvbf60UiCGYVV44T+Y+drKclAlAeVbw+9L TZtNLIquGh+WyRZHutlNMU1qY7dY+vDdRqH6EsD3QCTA4GnPEj26aQQz2a3q64nwbheG HxziF0VjeCd9EEBYGzdU8N/QNqS01+wLrbMK+QIlzPrlFWsrRsNepqm8Plw3rsr1ijMt cVuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from; bh=x+dwVn9u7vZzLEgBWKjeqIjkWqI7KHZVNlNSm/iemIo=; fh=QMvUiy5SaDfNyg3kIv97Uouru9disQLfjy9riyQH/9Y=; b=zad9myoJPMbGBegwDppMk46g+oU9kR9SHGH0mcA0LXd1JGtThpV8TdBI3w8nBBGoyj nb8/t9HvzH1vzpom3Wc2FJ7/+YAV1eUdnucjD3/vDucpymIrCZF0dgtLS/vU8cdIu0RB 4nIYFTof7kja7qG0iPtQ5Usd0J86kyMFDkz1Mpf5Ia2zcrJMbSZF4Fmw8aD05Zf0LYeu 3ynBwQ9xI8x6qQGB+pPB2vSFzGwBDaWDAVXrqyu+zVqhbyOUl14LkIBfs3rwX+Te7Tk5 lUMmQEVYy26zrNdNywbtKwn5wcFYZ9Vx9vVhJmwG60DZpdif2JbBdrwiNHQ1lGPcsOxt w/+g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id je2-20020a170903264200b001b7eb86ae19si1885894plb.195.2023.06.25.02.41.47; Sun, 25 Jun 2023 02:41:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231902AbjFYJ3a (ORCPT <rfc822;duw91626@gmail.com> + 99 others); Sun, 25 Jun 2023 05:29:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43100 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230029AbjFYJ33 (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Sun, 25 Jun 2023 05:29:29 -0400 Received: from zg8tmtyylji0my4xnjqumte4.icoremail.net (zg8tmtyylji0my4xnjqumte4.icoremail.net [162.243.164.118]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 5A6DEE7C; Sun, 25 Jun 2023 02:29:24 -0700 (PDT) Received: from localhost.localdomain (unknown [122.231.255.207]) by mail-app3 (Coremail) with SMTP id cC_KCgD3oQDhCJhkmFWzCA--.56491S4; Sun, 25 Jun 2023 17:29:05 +0800 (CST) From: Lin Ma <linma@zju.edu.cn> To: steffen.klassert@secunet.com, herbert@gondor.apana.org.au, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Lin Ma <linma@zju.edu.cn> Subject: [PATCH v1] net: xfrm: Fix xfrm_address_filter OOB read Date: Sun, 25 Jun 2023 17:28:55 +0800 Message-Id: <20230625092855.207918-1-linma@zju.edu.cn> X-Mailer: git-send-email 2.17.1 X-CM-TRANSID: cC_KCgD3oQDhCJhkmFWzCA--.56491S4 X-Coremail-Antispam: 1UD129KBjvJXoW3GrWUtw1Dur1UCrW3Kr1rZwb_yoWfGr17pF s5KFyIkr4xJ3s8Xr4jyr1Iq3WrGFZrZF1DJrZ7Gr1UAFW7Gr17JrWDAFWDJwsrCrW8AFy7 GFnrJF4jgr18J3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUka14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26rxl 6s0DM28EF7xvwVC2z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s 0DM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj6xII jxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr 1lF7xvr2IYc2Ij64vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7MxkIecxEwVAFwVW8uwCF 04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14v26r1j6r 18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jw0_GFylIxkGc2Ij64vI r41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Jr0_Gr 1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvE x4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x0JUhNVgUUUUU= X-CM-SenderInfo: qtrwiiyqvtljo62m3hxhgxhubq/ X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1769667160294921934?= X-GMAIL-MSGID: =?utf-8?q?1769667160294921934?= |
Series |
[v1] net: xfrm: Fix xfrm_address_filter OOB read
|
|
Commit Message
Lin Ma
June 25, 2023, 9:28 a.m. UTC
We found below OOB crash:
[ 44.211730] ==================================================================
[ 44.212045] BUG: KASAN: slab-out-of-bounds in memcmp+0x8b/0xb0
[ 44.212045] Read of size 8 at addr ffff88800870f320 by task poc.xfrm/97
[ 44.212045]
[ 44.212045] CPU: 0 PID: 97 Comm: poc.xfrm Not tainted 6.4.0-rc7-00072-gdad9774deaf1-dirty #4
[ 44.212045] Call Trace:
[ 44.212045] <TASK>
[ 44.212045] dump_stack_lvl+0x37/0x50
[ 44.212045] print_report+0xcc/0x620
[ 44.212045] ? __virt_addr_valid+0xf3/0x170
[ 44.212045] ? memcmp+0x8b/0xb0
[ 44.212045] kasan_report+0xb2/0xe0
[ 44.212045] ? memcmp+0x8b/0xb0
[ 44.212045] kasan_check_range+0x39/0x1c0
[ 44.212045] memcmp+0x8b/0xb0
[ 44.212045] xfrm_state_walk+0x21c/0x420
[ 44.212045] ? __pfx_dump_one_state+0x10/0x10
[ 44.212045] xfrm_dump_sa+0x1e2/0x290
[ 44.212045] ? __pfx_xfrm_dump_sa+0x10/0x10
[ 44.212045] ? __kernel_text_address+0xd/0x40
[ 44.212045] ? kasan_unpoison+0x27/0x60
[ 44.212045] ? mutex_lock+0x60/0xe0
[ 44.212045] ? __pfx_mutex_lock+0x10/0x10
[ 44.212045] ? kasan_save_stack+0x22/0x50
[ 44.212045] netlink_dump+0x322/0x6c0
[ 44.212045] ? __pfx_netlink_dump+0x10/0x10
[ 44.212045] ? mutex_unlock+0x7f/0xd0
[ 44.212045] ? __pfx_mutex_unlock+0x10/0x10
[ 44.212045] __netlink_dump_start+0x353/0x430
[ 44.212045] xfrm_user_rcv_msg+0x3a4/0x410
[ 44.212045] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 44.212045] ? __pfx_xfrm_user_rcv_msg+0x10/0x10
[ 44.212045] ? __pfx_xfrm_dump_sa+0x10/0x10
[ 44.212045] ? __pfx_xfrm_dump_sa_done+0x10/0x10
[ 44.212045] ? __stack_depot_save+0x382/0x4e0
[ 44.212045] ? filter_irq_stacks+0x1c/0x70
[ 44.212045] ? kasan_save_stack+0x32/0x50
[ 44.212045] ? kasan_save_stack+0x22/0x50
[ 44.212045] ? kasan_set_track+0x25/0x30
[ 44.212045] ? __kasan_slab_alloc+0x59/0x70
[ 44.212045] ? kmem_cache_alloc_node+0xf7/0x260
[ 44.212045] ? kmalloc_reserve+0xab/0x120
[ 44.212045] ? __alloc_skb+0xcf/0x210
[ 44.212045] ? netlink_sendmsg+0x509/0x700
[ 44.212045] ? sock_sendmsg+0xde/0xe0
[ 44.212045] ? __sys_sendto+0x18d/0x230
[ 44.212045] ? __x64_sys_sendto+0x71/0x90
[ 44.212045] ? do_syscall_64+0x3f/0x90
[ 44.212045] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 44.212045] ? netlink_sendmsg+0x509/0x700
[ 44.212045] ? sock_sendmsg+0xde/0xe0
[ 44.212045] ? __sys_sendto+0x18d/0x230
[ 44.212045] ? __x64_sys_sendto+0x71/0x90
[ 44.212045] ? do_syscall_64+0x3f/0x90
[ 44.212045] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 44.212045] ? kasan_save_stack+0x22/0x50
[ 44.212045] ? kasan_set_track+0x25/0x30
[ 44.212045] ? kasan_save_free_info+0x2e/0x50
[ 44.212045] ? __kasan_slab_free+0x10a/0x190
[ 44.212045] ? kmem_cache_free+0x9c/0x340
[ 44.212045] ? netlink_recvmsg+0x23c/0x660
[ 44.212045] ? sock_recvmsg+0xeb/0xf0
[ 44.212045] ? __sys_recvfrom+0x13c/0x1f0
[ 44.212045] ? __x64_sys_recvfrom+0x71/0x90
[ 44.212045] ? do_syscall_64+0x3f/0x90
[ 44.212045] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 44.212045] ? copyout+0x3e/0x50
[ 44.212045] netlink_rcv_skb+0xd6/0x210
[ 44.212045] ? __pfx_xfrm_user_rcv_msg+0x10/0x10
[ 44.212045] ? __pfx_netlink_rcv_skb+0x10/0x10
[ 44.212045] ? __pfx_sock_has_perm+0x10/0x10
[ 44.212045] ? mutex_lock+0x8d/0xe0
[ 44.212045] ? __pfx_mutex_lock+0x10/0x10
[ 44.212045] xfrm_netlink_rcv+0x44/0x50
[ 44.212045] netlink_unicast+0x36f/0x4c0
[ 44.212045] ? __pfx_netlink_unicast+0x10/0x10
[ 44.212045] ? netlink_recvmsg+0x500/0x660
[ 44.212045] netlink_sendmsg+0x3b7/0x700
[ 44.212045] ? __pfx_netlink_sendmsg+0x10/0x10
[ 44.212045] ? __pfx_netlink_sendmsg+0x10/0x10
[ 44.212045] sock_sendmsg+0xde/0xe0
[ 44.212045] __sys_sendto+0x18d/0x230
[ 44.212045] ? __pfx___sys_sendto+0x10/0x10
[ 44.212045] ? rcu_core+0x44a/0xe10
[ 44.212045] ? __rseq_handle_notify_resume+0x45b/0x740
[ 44.212045] ? _raw_spin_lock_irq+0x81/0xe0
[ 44.212045] ? __pfx___rseq_handle_notify_resume+0x10/0x10
[ 44.212045] ? __pfx_restore_fpregs_from_fpstate+0x10/0x10
[ 44.212045] ? __pfx_blkcg_maybe_throttle_current+0x10/0x10
[ 44.212045] ? __pfx_task_work_run+0x10/0x10
[ 44.212045] __x64_sys_sendto+0x71/0x90
[ 44.212045] do_syscall_64+0x3f/0x90
[ 44.212045] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 44.212045] RIP: 0033:0x44b7da
[ 44.212045] RSP: 002b:00007ffdc8838548 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 44.212045] RAX: ffffffffffffffda RBX: 00007ffdc8839978 RCX: 000000000044b7da
[ 44.212045] RDX: 0000000000000038 RSI: 00007ffdc8838770 RDI: 0000000000000003
[ 44.212045] RBP: 00007ffdc88385b0 R08: 00007ffdc883858c R09: 000000000000000c
[ 44.212045] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 44.212045] R13: 00007ffdc8839968 R14: 00000000004c37d0 R15: 0000000000000001
[ 44.212045] </TASK>
[ 44.212045]
[ 44.212045] Allocated by task 97:
[ 44.212045] kasan_save_stack+0x22/0x50
[ 44.212045] kasan_set_track+0x25/0x30
[ 44.212045] __kasan_kmalloc+0x7f/0x90
[ 44.212045] __kmalloc_node_track_caller+0x5b/0x140
[ 44.212045] kmemdup+0x21/0x50
[ 44.212045] xfrm_dump_sa+0x17d/0x290
[ 44.212045] netlink_dump+0x322/0x6c0
[ 44.212045] __netlink_dump_start+0x353/0x430
[ 44.212045] xfrm_user_rcv_msg+0x3a4/0x410
[ 44.212045] netlink_rcv_skb+0xd6/0x210
[ 44.212045] xfrm_netlink_rcv+0x44/0x50
[ 44.212045] netlink_unicast+0x36f/0x4c0
[ 44.212045] netlink_sendmsg+0x3b7/0x700
[ 44.212045] sock_sendmsg+0xde/0xe0
[ 44.212045] __sys_sendto+0x18d/0x230
[ 44.212045] __x64_sys_sendto+0x71/0x90
[ 44.212045] do_syscall_64+0x3f/0x90
[ 44.212045] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 44.212045]
[ 44.212045] The buggy address belongs to the object at ffff88800870f300
[ 44.212045] which belongs to the cache kmalloc-64 of size 64
[ 44.212045] The buggy address is located 32 bytes inside of
[ 44.212045] allocated 36-byte region [ffff88800870f300, ffff88800870f324)
[ 44.212045]
[ 44.212045] The buggy address belongs to the physical page:
[ 44.212045] page:00000000e4de16ee refcount:1 mapcount:0 mapping:000000000 ...
[ 44.212045] flags: 0x100000000000200(slab|node=0|zone=1)
[ 44.212045] page_type: 0xffffffff()
[ 44.212045] raw: 0100000000000200 ffff888004c41640 dead000000000122 0000000000000000
[ 44.212045] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[ 44.212045] page dumped because: kasan: bad access detected
[ 44.212045]
[ 44.212045] Memory state around the buggy address:
[ 44.212045] ffff88800870f200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 44.212045] ffff88800870f280: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[ 44.212045] >ffff88800870f300: 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc
[ 44.212045] ^
[ 44.212045] ffff88800870f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 44.212045] ffff88800870f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 44.212045] ==================================================================
By investigating the code, we find the root cause of this OOB is the lack
of checks in xfrm_dump_sa(). The buggy code allows a malicious user to pass
arbitrary value of filter->splen/dplen. Hence, with crafted xfrm states,
the attacker can achieve 8 bytes heap OOB read, which causes info leak.
if (attrs[XFRMA_ADDRESS_FILTER]) {
filter = kmemdup(nla_data(attrs[XFRMA_ADDRESS_FILTER]),
sizeof(*filter), GFP_KERNEL);
if (filter == NULL)
return -ENOMEM;
// NO MORE CHECKS HERE !!!
}
This patch fixes the OOB by adding necessary boundary checks, just like
the code in pfkey_dump() function.
Fixes: d3623099d350 ("ipsec: add support of limited SA dump")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
---
net/xfrm/xfrm_user.c | 4 ++++
1 file changed, 4 insertions(+)
Comments
On Sun, Jun 25, 2023 at 05:28:55PM +0800, Lin Ma wrote: > We found below OOB crash: > > [ 44.211730] ================================================================== > [ 44.212045] BUG: KASAN: slab-out-of-bounds in memcmp+0x8b/0xb0 > [ 44.212045] Read of size 8 at addr ffff88800870f320 by task poc.xfrm/97 > [ 44.212045] > [ 44.212045] CPU: 0 PID: 97 Comm: poc.xfrm Not tainted 6.4.0-rc7-00072-gdad9774deaf1-dirty #4 > [ 44.212045] Call Trace: > [ 44.212045] <TASK> > [ 44.212045] dump_stack_lvl+0x37/0x50 > [ 44.212045] print_report+0xcc/0x620 > [ 44.212045] ? __virt_addr_valid+0xf3/0x170 > [ 44.212045] ? memcmp+0x8b/0xb0 > [ 44.212045] kasan_report+0xb2/0xe0 > [ 44.212045] ? memcmp+0x8b/0xb0 > [ 44.212045] kasan_check_range+0x39/0x1c0 > [ 44.212045] memcmp+0x8b/0xb0 > [ 44.212045] xfrm_state_walk+0x21c/0x420 > [ 44.212045] ? __pfx_dump_one_state+0x10/0x10 > [ 44.212045] xfrm_dump_sa+0x1e2/0x290 > [ 44.212045] ? __pfx_xfrm_dump_sa+0x10/0x10 > [ 44.212045] ? __kernel_text_address+0xd/0x40 > [ 44.212045] ? kasan_unpoison+0x27/0x60 > [ 44.212045] ? mutex_lock+0x60/0xe0 > [ 44.212045] ? __pfx_mutex_lock+0x10/0x10 > [ 44.212045] ? kasan_save_stack+0x22/0x50 > [ 44.212045] netlink_dump+0x322/0x6c0 > [ 44.212045] ? __pfx_netlink_dump+0x10/0x10 > [ 44.212045] ? mutex_unlock+0x7f/0xd0 > [ 44.212045] ? __pfx_mutex_unlock+0x10/0x10 > [ 44.212045] __netlink_dump_start+0x353/0x430 > [ 44.212045] xfrm_user_rcv_msg+0x3a4/0x410 > [ 44.212045] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 > [ 44.212045] ? __pfx_xfrm_user_rcv_msg+0x10/0x10 > [ 44.212045] ? __pfx_xfrm_dump_sa+0x10/0x10 > [ 44.212045] ? __pfx_xfrm_dump_sa_done+0x10/0x10 > [ 44.212045] ? __stack_depot_save+0x382/0x4e0 > [ 44.212045] ? filter_irq_stacks+0x1c/0x70 > [ 44.212045] ? kasan_save_stack+0x32/0x50 > [ 44.212045] ? kasan_save_stack+0x22/0x50 > [ 44.212045] ? kasan_set_track+0x25/0x30 > [ 44.212045] ? __kasan_slab_alloc+0x59/0x70 > [ 44.212045] ? kmem_cache_alloc_node+0xf7/0x260 > [ 44.212045] ? kmalloc_reserve+0xab/0x120 > [ 44.212045] ? __alloc_skb+0xcf/0x210 > [ 44.212045] ? netlink_sendmsg+0x509/0x700 > [ 44.212045] ? sock_sendmsg+0xde/0xe0 > [ 44.212045] ? __sys_sendto+0x18d/0x230 > [ 44.212045] ? __x64_sys_sendto+0x71/0x90 > [ 44.212045] ? do_syscall_64+0x3f/0x90 > [ 44.212045] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc > [ 44.212045] ? netlink_sendmsg+0x509/0x700 > [ 44.212045] ? sock_sendmsg+0xde/0xe0 > [ 44.212045] ? __sys_sendto+0x18d/0x230 > [ 44.212045] ? __x64_sys_sendto+0x71/0x90 > [ 44.212045] ? do_syscall_64+0x3f/0x90 > [ 44.212045] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc > [ 44.212045] ? kasan_save_stack+0x22/0x50 > [ 44.212045] ? kasan_set_track+0x25/0x30 > [ 44.212045] ? kasan_save_free_info+0x2e/0x50 > [ 44.212045] ? __kasan_slab_free+0x10a/0x190 > [ 44.212045] ? kmem_cache_free+0x9c/0x340 > [ 44.212045] ? netlink_recvmsg+0x23c/0x660 > [ 44.212045] ? sock_recvmsg+0xeb/0xf0 > [ 44.212045] ? __sys_recvfrom+0x13c/0x1f0 > [ 44.212045] ? __x64_sys_recvfrom+0x71/0x90 > [ 44.212045] ? do_syscall_64+0x3f/0x90 > [ 44.212045] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc > [ 44.212045] ? copyout+0x3e/0x50 > [ 44.212045] netlink_rcv_skb+0xd6/0x210 > [ 44.212045] ? __pfx_xfrm_user_rcv_msg+0x10/0x10 > [ 44.212045] ? __pfx_netlink_rcv_skb+0x10/0x10 > [ 44.212045] ? __pfx_sock_has_perm+0x10/0x10 > [ 44.212045] ? mutex_lock+0x8d/0xe0 > [ 44.212045] ? __pfx_mutex_lock+0x10/0x10 > [ 44.212045] xfrm_netlink_rcv+0x44/0x50 > [ 44.212045] netlink_unicast+0x36f/0x4c0 > [ 44.212045] ? __pfx_netlink_unicast+0x10/0x10 > [ 44.212045] ? netlink_recvmsg+0x500/0x660 > [ 44.212045] netlink_sendmsg+0x3b7/0x700 > [ 44.212045] ? __pfx_netlink_sendmsg+0x10/0x10 > [ 44.212045] ? __pfx_netlink_sendmsg+0x10/0x10 > [ 44.212045] sock_sendmsg+0xde/0xe0 > [ 44.212045] __sys_sendto+0x18d/0x230 > [ 44.212045] ? __pfx___sys_sendto+0x10/0x10 > [ 44.212045] ? rcu_core+0x44a/0xe10 > [ 44.212045] ? __rseq_handle_notify_resume+0x45b/0x740 > [ 44.212045] ? _raw_spin_lock_irq+0x81/0xe0 > [ 44.212045] ? __pfx___rseq_handle_notify_resume+0x10/0x10 > [ 44.212045] ? __pfx_restore_fpregs_from_fpstate+0x10/0x10 > [ 44.212045] ? __pfx_blkcg_maybe_throttle_current+0x10/0x10 > [ 44.212045] ? __pfx_task_work_run+0x10/0x10 > [ 44.212045] __x64_sys_sendto+0x71/0x90 > [ 44.212045] do_syscall_64+0x3f/0x90 > [ 44.212045] entry_SYSCALL_64_after_hwframe+0x72/0xdc > [ 44.212045] RIP: 0033:0x44b7da > [ 44.212045] RSP: 002b:00007ffdc8838548 EFLAGS: 00000246 ORIG_RAX: 000000000000002c > [ 44.212045] RAX: ffffffffffffffda RBX: 00007ffdc8839978 RCX: 000000000044b7da > [ 44.212045] RDX: 0000000000000038 RSI: 00007ffdc8838770 RDI: 0000000000000003 > [ 44.212045] RBP: 00007ffdc88385b0 R08: 00007ffdc883858c R09: 000000000000000c > [ 44.212045] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 > [ 44.212045] R13: 00007ffdc8839968 R14: 00000000004c37d0 R15: 0000000000000001 > [ 44.212045] </TASK> > [ 44.212045] > [ 44.212045] Allocated by task 97: > [ 44.212045] kasan_save_stack+0x22/0x50 > [ 44.212045] kasan_set_track+0x25/0x30 > [ 44.212045] __kasan_kmalloc+0x7f/0x90 > [ 44.212045] __kmalloc_node_track_caller+0x5b/0x140 > [ 44.212045] kmemdup+0x21/0x50 > [ 44.212045] xfrm_dump_sa+0x17d/0x290 > [ 44.212045] netlink_dump+0x322/0x6c0 > [ 44.212045] __netlink_dump_start+0x353/0x430 > [ 44.212045] xfrm_user_rcv_msg+0x3a4/0x410 > [ 44.212045] netlink_rcv_skb+0xd6/0x210 > [ 44.212045] xfrm_netlink_rcv+0x44/0x50 > [ 44.212045] netlink_unicast+0x36f/0x4c0 > [ 44.212045] netlink_sendmsg+0x3b7/0x700 > [ 44.212045] sock_sendmsg+0xde/0xe0 > [ 44.212045] __sys_sendto+0x18d/0x230 > [ 44.212045] __x64_sys_sendto+0x71/0x90 > [ 44.212045] do_syscall_64+0x3f/0x90 > [ 44.212045] entry_SYSCALL_64_after_hwframe+0x72/0xdc > [ 44.212045] > [ 44.212045] The buggy address belongs to the object at ffff88800870f300 > [ 44.212045] which belongs to the cache kmalloc-64 of size 64 > [ 44.212045] The buggy address is located 32 bytes inside of > [ 44.212045] allocated 36-byte region [ffff88800870f300, ffff88800870f324) > [ 44.212045] > [ 44.212045] The buggy address belongs to the physical page: > [ 44.212045] page:00000000e4de16ee refcount:1 mapcount:0 mapping:000000000 ... > [ 44.212045] flags: 0x100000000000200(slab|node=0|zone=1) > [ 44.212045] page_type: 0xffffffff() > [ 44.212045] raw: 0100000000000200 ffff888004c41640 dead000000000122 0000000000000000 > [ 44.212045] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 > [ 44.212045] page dumped because: kasan: bad access detected > [ 44.212045] > [ 44.212045] Memory state around the buggy address: > [ 44.212045] ffff88800870f200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > [ 44.212045] ffff88800870f280: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc > [ 44.212045] >ffff88800870f300: 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc > [ 44.212045] ^ > [ 44.212045] ffff88800870f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > [ 44.212045] ffff88800870f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > [ 44.212045] ================================================================== > > By investigating the code, we find the root cause of this OOB is the lack > of checks in xfrm_dump_sa(). The buggy code allows a malicious user to pass > arbitrary value of filter->splen/dplen. Hence, with crafted xfrm states, > the attacker can achieve 8 bytes heap OOB read, which causes info leak. > > if (attrs[XFRMA_ADDRESS_FILTER]) { > filter = kmemdup(nla_data(attrs[XFRMA_ADDRESS_FILTER]), > sizeof(*filter), GFP_KERNEL); > if (filter == NULL) > return -ENOMEM; > // NO MORE CHECKS HERE !!! > } > > This patch fixes the OOB by adding necessary boundary checks, just like > the code in pfkey_dump() function. > > Fixes: d3623099d350 ("ipsec: add support of limited SA dump") > Signed-off-by: Lin Ma <linma@zju.edu.cn> > --- > net/xfrm/xfrm_user.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c > index c34a2a06ca94..a73ae4ad8096 100644 > --- a/net/xfrm/xfrm_user.c > +++ b/net/xfrm/xfrm_user.c > @@ -1267,6 +1267,10 @@ static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb) > sizeof(*filter), GFP_KERNEL); > if (filter == NULL) > return -ENOMEM; > + > + if (filter->splen >= (sizeof(xfrm_address_t) << 3) || > + filter->dplen >= (sizeof(xfrm_address_t) << 3)) > + return -EINVAL; Hi Lin Ma, It appears that the memory allocation for filter is leaked if the new condition above is met. > } > > if (attrs[XFRMA_PROTO]) > -- > 2.17.1 > >
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index c34a2a06ca94..a73ae4ad8096 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1267,6 +1267,10 @@ static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb) sizeof(*filter), GFP_KERNEL); if (filter == NULL) return -ENOMEM; + + if (filter->splen >= (sizeof(xfrm_address_t) << 3) || + filter->dplen >= (sizeof(xfrm_address_t) << 3)) + return -EINVAL; } if (attrs[XFRMA_PROTO])