| Message ID | 20230721014411.2407082-1-linma@zju.edu.cn |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:c923:0:b0:3e4:2afc:c1 with SMTP id j3csp3496712vqt;
Thu, 20 Jul 2023 18:59:57 -0700 (PDT)
X-Google-Smtp-Source:
APBJJlEigzm57Uwaw2fud56m5qMT8pVLMZvv4BrF+7t1dT1LxrzLIhPa6pZcJFz1cj+naHRlgvY3
X-Received: by 2002:a05:6e02:b2e:b0:348:b114:a3d2 with SMTP id
e14-20020a056e020b2e00b00348b114a3d2mr659978ilu.21.1689904797189;
Thu, 20 Jul 2023 18:59:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1689904797; cv=none;
d=google.com; s=arc-20160816;
b=HWMpSLUhiaCIAp7oo2zL0OVt7Sw9N5jWxCZth19rk5HS2QWNjfE1pkVkWFys5xGvG8
efn+773UVcV1H/xGcXqzQNcwPrCucdvTj9mLbHzZ6vgY4ukkHXnWvE03FBeK07bUkbJ3
YCb6pUsIkJALaXSIHykBKwxYYMK9qZgphKRmu/H+6guMkhw7qZNDEGVP4kwZZiNLlu1k
+eAN4wARpIk9i+TGxQEoVibBn3T43XanZHNmJxvujL+Y2vwx++F/Db7Qgk0c2F7gqY1T
u57A0REiroweJjP1gwrRtUFNpIA2aD4MikP2VMH/GlAIkY5p8svqlDPb0vRlcLN005ff
67Cg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:message-id:date:subject:cc:to:from;
bh=seoZyDmT/Pmx3kiEdKY/+MIgqs9u26l/kVRh8c/qFAE=;
fh=7p6h4zLGIiXj4NR3UpPWFEfInqn1MZxapWyfkzl/v9k=;
b=T+XWrWlmtCOHuj732mirBb4vbfGufyRv+dFJmfXLX37XEbzTvYynLLWcnZ+G7zQcOP
yvT6mUpUFq1nfCY7sLFBaBlN77uVN64zo8IK7KhOPl79jRCu5dYpRADat1Rmj1QrIAEh
9y1DqnTWATieSSUWi1Wtf4bHRRvAlaKguAh0OPlzQgHA7LddCJAAxuPF7luUJoLTZRJP
ZaNP5Iew46OCpmj78LqVqN6/sDQyKCoYGJMfwRYwg6GSq9J5AUqcyyMElz1bm3yBBgyj
8PiTa73/7IaJKsiW90pSV+ygEy/8xOuQoqodA/L1G0IrjrbW6RmHlk1izVBxkw5sizi8
zLLw==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
c6-20020a056a000ac600b0067c03d5624csi2179464pfl.293.2023.07.20.18.59.42;
Thu, 20 Jul 2023 18:59:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229867AbjGUBoi (ORCPT <rfc822;chrisben.tianve@gmail.com>
+ 99 others); Thu, 20 Jul 2023 21:44:38 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51498 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229450AbjGUBog (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 20 Jul 2023 21:44:36 -0400
Received: from zg8tmja2lje4os4yms4ymjma.icoremail.net
(zg8tmja2lje4os4yms4ymjma.icoremail.net [206.189.21.223])
by lindbergh.monkeyblade.net (Postfix) with ESMTP id 99ED72106;
Thu, 20 Jul 2023 18:44:32 -0700 (PDT)
Received: from localhost.localdomain (unknown [39.174.92.167])
by mail-app4 (Coremail) with SMTP id cS_KCgBHTQ3s4rlksajGCQ--.42906S4;
Fri, 21 Jul 2023 09:44:13 +0800 (CST)
From: Lin Ma <linma@zju.edu.cn>
To: steffen.klassert@secunet.com, herbert@gondor.apana.org.au,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Cc: Lin Ma <linma@zju.edu.cn>
Subject: [PATCH v1] xfrm: add NULL check in xfrm_update_ae_params
Date: Fri, 21 Jul 2023 09:44:11 +0800
Message-Id: <20230721014411.2407082-1-linma@zju.edu.cn>
X-Mailer: git-send-email 2.17.1
X-CM-TRANSID: cS_KCgBHTQ3s4rlksajGCQ--.42906S4
X-Coremail-Antispam: 1UD129KBjvJXoWxZFyrGF1rGr1fWF4Dtr4fXwb_yoWrGF1UpF
W5Kw4jkr4rXr1UZr4UJr1aqr1jvF48ZF1DCr93Xr1FyFy5Grn5WFyUJ3yUurykArWDAFy7
J3W5tr18tw1YkaDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
9KBjDU0xBIdaVrnRJUUUyl14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0
rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02
1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U
JVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gc
CE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E
2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV
W8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1l42xK82IYc2Ij64vI
r41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8Gjc
xK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE2Ix0
cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42xK8V
AvwI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E
14v26r4j6r4UJbIYCTnIWIevJa73UjIFyTuYvjfUoOJ5UUUUU
X-CM-SenderInfo: qtrwiiyqvtljo62m3hxhgxhubq/
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1771993612298198777
X-GMAIL-MSGID: 1771993612298198777
|
| Series |
[v1] xfrm: add NULL check in xfrm_update_ae_params
|
|
Commit Message
Lin Ma
July 21, 2023, 1:44 a.m. UTC
Normally, x->replay_esn and x->preplay_esn should be allocated at
xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(..), hence the
frm_update_ae_params(...) is okay to update them. However, the current
impelementation of xfrm_new_ae(...) allows a malicious user to directly
dereference a NULL pointer and crash the kernel like below.
BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0
Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774deaf1 #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4
RIP: 0010:memcpy_orig+0xad/0x140
Code: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c
RSP: 0018:ffff888008f57658 EFLAGS: 00000202
RAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571
RDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818
R13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000
FS: 00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0
Call Trace:
<TASK>
? __die+0x1f/0x70
? page_fault_oops+0x1e8/0x500
? __pfx_is_prefetch.constprop.0+0x10/0x10
? __pfx_page_fault_oops+0x10/0x10
? _raw_spin_unlock_irqrestore+0x11/0x40
? fixup_exception+0x36/0x460
? _raw_spin_unlock_irqrestore+0x11/0x40
? exc_page_fault+0x5e/0xc0
? asm_exc_page_fault+0x26/0x30
? xfrm_update_ae_params+0xd1/0x260
? memcpy_orig+0xad/0x140
? __pfx__raw_spin_lock_bh+0x10/0x10
xfrm_update_ae_params+0xe7/0x260
xfrm_new_ae+0x298/0x4e0
? __pfx_xfrm_new_ae+0x10/0x10
xfrm_user_rcv_msg+0x25a/0x410
? __pfx_xfrm_user_rcv_msg+0x10/0x10
? __alloc_skb+0xcf/0x210
? stack_trace_save+0x90/0xd0
? filter_irq_stacks+0x1c/0x70
? __stack_depot_save+0x39/0x4e0
? __kasan_slab_free+0x10a/0x190
? kmem_cache_free+0x9c/0x340
? netlink_recvmsg+0x23c/0x660
? sock_recvmsg+0xeb/0xf0
? __sys_recvfrom+0x13c/0x1f0
? __x64_sys_recvfrom+0x71/0x90
? do_syscall_64+0x3f/0x90
? entry_SYSCALL_64_after_hwframe+0x72/0xdc
? copyout+0x3e/0x50
netlink_rcv_skb+0xd6/0x210
? __pfx_xfrm_user_rcv_msg+0x10/0x10
? __pfx_netlink_rcv_skb+0x10/0x10
? __pfx_sock_has_perm+0x10/0x10
? mutex_lock+0x8d/0xe0
? __pfx_mutex_lock+0x10/0x10
xfrm_netlink_rcv+0x44/0x50
netlink_unicast+0x36f/0x4c0
? __pfx_netlink_unicast+0x10/0x10
? netlink_recvmsg+0x500/0x660
netlink_sendmsg+0x3b7/0x700
This Null-ptr-deref bug is assigned CVE-2023-3772. And this commit
adds additional NULL check in xfrm_update_ae_params to fix the NPD.
Fixes: d8647b79c3b7 ("xfrm: Add user interface for esn and big anti-replay windows")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
---
net/xfrm/xfrm_user.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Fri, Jul 21, 2023 at 09:44:11AM +0800, Lin Ma wrote: > Normally, x->replay_esn and x->preplay_esn should be allocated at > xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(..), hence the > frm_update_ae_params(...) is okay to update them. However, the current > impelementation of xfrm_new_ae(...) allows a malicious user to directly nit: impelementation -> implementation ...
Hello Simon, > > nit: impelementation -> implementation > > ... Oooops, so sorry. :O Have sent the second version of this patch. Thanks! Have a great weekend. Regards Lin
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index c34a2a06ca94..bf2564967501 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -628,7 +628,7 @@ static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs, struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH]; struct nlattr *mt = attrs[XFRMA_MTIMER_THRESH]; - if (re) { + if (re && x->replay_esn && x->preplay_esn) { struct xfrm_replay_state_esn *replay_esn; replay_esn = nla_data(re); memcpy(x->replay_esn, replay_esn,