On Mon, Nov 6, 2017 at 11:16 AM, Steffen Klassert
<steffen.klass...@secunet.com> wrote:
> On Fri, Nov 03, 2017 at 01:10:12PM +0100, Steffen Klassert wrote:
>> On Thu, Nov 02, 2017 at 01:25:28PM +0100, Florian Westphal wrote:
>> > Steffen Klassert <steffen.klass...@secunet.com> wrote:
>> >
>> > > I'd propose to use the addresses from the template unconditionally,
>> > > like the (untested) patch below does.
>> > >
>> > > Unfortunalely the reproducer does not work with my config,
>> > > sendto returns EAGAIN. Could anybody try this patch?
>> >
>> > The reproducer no longer causes KASAN spew with your patch,
>> > but i don't have a test case that actually creates/uses a tunnel.
>>
>> The patch passed my standard tests, so I tend apply it
>> after a day in the ipsec/testing branch.
>
> FYI: I've just applied the patch below to the ipsec tree.
Thanks
Let's tell the bot what fixes this:
#syz fix: xfrm: Fix stack-out-of-bounds read in xfrm_state_find.
> Subject: [PATCH ipsec] xfrm: Fix stack-out-of-bounds read in xfrm_state_find.
>
> When we do tunnel or beet mode, we pass saddr and daddr from the
> template to xfrm_state_find(), this is ok. On transport mode,
> we pass the addresses from the flowi, assuming that the IP
> addresses (and address family) don't change during transformation.
> This assumption is wrong in the IPv4 mapped IPv6 case, packet
> is IPv4 and template is IPv6. Fix this by using the addresses
> from the template unconditionally.
>
> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
> ---
> net/xfrm/xfrm_policy.c | 29 +++++++++++------------------
> 1 file changed, 11 insertions(+), 18 deletions(-)
>
> diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
> index a2e531b..6eb228a 100644
> --- a/net/xfrm/xfrm_policy.c
> +++ b/net/xfrm/xfrm_policy.c
> @@ -1361,36 +1361,29 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy,
> const struct flowi *fl,
> struct net *net = xp_net(policy);
> int nx;
> int i, error;
> - xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
> - xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
> xfrm_address_t tmp;
>
> for (nx = 0, i = 0; i < policy->xfrm_nr; i++) {
> struct xfrm_state *x;
> - xfrm_address_t *remote = daddr;
> - xfrm_address_t *local = saddr;
> + xfrm_address_t *local;
> + xfrm_address_t *remote;
> struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
>
> - if (tmpl->mode == XFRM_MODE_TUNNEL ||
> - tmpl->mode == XFRM_MODE_BEET) {
> - remote = &tmpl->id.daddr;
> - local = &tmpl->saddr;
> - if (xfrm_addr_any(local, tmpl->encap_family)) {
> - error = xfrm_get_saddr(net, fl->flowi_oif,
> - &tmp, remote,
> - tmpl->encap_family, 0);
> - if (error)
> - goto fail;
> - local = &tmp;
> - }
> + remote = &tmpl->id.daddr;
> + local = &tmpl->saddr;
> + if (xfrm_addr_any(local, tmpl->encap_family)) {
> + error = xfrm_get_saddr(net, fl->flowi_oif,
> + &tmp, remote,
> + tmpl->encap_family, 0);
> + if (error)
> + goto fail;
> + local = &tmp;
> }
>
> x = xfrm_state_find(remote, local, fl, tmpl, policy, &error,
> family);
>
> if (x && x->km.state == XFRM_STATE_VALID) {
> xfrm[nx++] = x;
> - daddr = remote;
> - saddr = local;
> continue;
> }
> if (x) {
> --
> 2.7.4
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/20171106101646.GG23855%40secunet.com.
> For more options, visit https://groups.google.com/d/optout.
