[Devel] [PATCH RHEL7 COMMIT] ms/xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder

Konstantin Khorenko khorenko at virtuozzo.com
Thu Mar 30 05:14:57 PDT 2017

The commit is pushed to "branch-rh7-3.10.0-514.10.2.vz7.29.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.10.2.vz7.29.8
commit af3d6f628d6a3dbeed09b45541a6c0c2670b7f80
Author: Andy Whitcroft <apw at canonical.com>
Date:   Thu Mar 23 07:45:44 2017 +0000

    ms/xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
    Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
    wrapping issues.  To ensure we are correctly ensuring that the two ESN
    structures are the same size compare both the overall size as reported
    by xfrm_replay_state_esn_len() and the internal length are the same.
    Signed-off-by: Andy Whitcroft <apw at canonical.com>
    Acked-by: Steffen Klassert <steffen.klassert at secunet.com>
    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
    (cherry picked from commit f843ee6dd019bcece3e74e76ad9df0155655d0df)
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
 net/xfrm/xfrm_user.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 3ee8c69..ec9f399 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -387,7 +387,11 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
 	up = nla_data(rp);
 	ulen = xfrm_replay_state_esn_len(up);
-	if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
+	/* Check the overall length and the internal bitmap length to avoid
+	 * potential overflow. */
+	if (nla_len(rp) < ulen ||
+	    xfrm_replay_state_esn_len(replay_esn) != ulen ||
+	    replay_esn->bmp_len != up->bmp_len)
 		return -EINVAL;
 	if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)

More information about the Devel mailing list