<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/git/stable/linux.git/net/key, branch linux-4.1.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<id>https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/atom?h=linux-4.1.y</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/atom?h=linux-4.1.y'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/'/>
<updated>2018-05-23T01:36:22+00:00</updated>
<entry>
<title>af_key: Fix slab-out-of-bounds in pfkey_compile_policy.</title>
<updated>2018-05-23T01:36:22+00:00</updated>
<author>
<name>Steffen Klassert</name>
<email>steffen.klassert@secunet.com</email>
</author>
<published>2017-05-05T05:40:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=4734188068bf9de8c61ee0e5b456ab0647a17d9f'/>
<id>urn:sha1:4734188068bf9de8c61ee0e5b456ab0647a17d9f</id>
<content type='text'>
[ Upstream commit d90c902449a7561f1b1d58ba5a0d11728ce8b0b2 ]

The sadb_x_sec_len is stored in the unit 'byte divided by eight'.
So we have to multiply this value by eight before we can do
size checks. Otherwise we may get a slab-out-of-bounds when
we memcpy the user sec_ctx.

Fixes: df71837d502 ("[LSM-IPSec]: Security association restriction.")
Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Tested-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
</entry>
<entry>
<title>af_key: fix buffer overread in parse_exthdrs()</title>
<updated>2018-03-01T03:09:38+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@google.com</email>
</author>
<published>2017-12-30T00:15:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b866e768648fcd0b46fe6ba4a21577c12fb42ba1'/>
<id>urn:sha1:b866e768648fcd0b46fe6ba4a21577c12fb42ba1</id>
<content type='text'>
[ Upstream commit 4e765b4972af7b07adcb1feb16e7a525ce1f6b28 ]

If a message sent to a PF_KEY socket ended with an incomplete extension
header (fewer than 4 bytes remaining), then parse_exthdrs() read past
the end of the message, into uninitialized memory.  Fix it by returning
-EINVAL in this case.

Reproducer:

	#include &lt;linux/pfkeyv2.h&gt;
	#include &lt;sys/socket.h&gt;
	#include &lt;unistd.h&gt;

	int main()
	{
		int sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
		char buf[17] = { 0 };
		struct sadb_msg *msg = (void *)buf;

		msg-&gt;sadb_msg_version = PF_KEY_V2;
		msg-&gt;sadb_msg_type = SADB_DELETE;
		msg-&gt;sadb_msg_len = 2;

		write(sock, buf, 17);
	}

Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers &lt;ebiggers@google.com&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
</entry>
<entry>
<title>af_key: fix buffer overread in verify_address_len()</title>
<updated>2018-03-01T03:09:38+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@google.com</email>
</author>
<published>2017-12-30T00:13:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ef5be9afe0eb4edcd711ad2ddb3fa25ad1bdcbda'/>
<id>urn:sha1:ef5be9afe0eb4edcd711ad2ddb3fa25ad1bdcbda</id>
<content type='text'>
[ Upstream commit 06b335cb51af018d5feeff5dd4fd53847ddb675a ]

If a message sent to a PF_KEY socket ended with one of the extensions
that takes a 'struct sadb_address' but there were not enough bytes
remaining in the message for the -&gt;sa_family member of the 'struct
sockaddr' which is supposed to follow, then verify_address_len() read
past the end of the message, into uninitialized memory.  Fix it by
returning -EINVAL in this case.

This bug was found using syzkaller with KMSAN.

Reproducer:

	#include &lt;linux/pfkeyv2.h&gt;
	#include &lt;sys/socket.h&gt;
	#include &lt;unistd.h&gt;

	int main()
	{
		int sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
		char buf[24] = { 0 };
		struct sadb_msg *msg = (void *)buf;
		struct sadb_address *addr = (void *)(msg + 1);

		msg-&gt;sadb_msg_version = PF_KEY_V2;
		msg-&gt;sadb_msg_type = SADB_DELETE;
		msg-&gt;sadb_msg_len = 3;
		addr-&gt;sadb_address_len = 1;
		addr-&gt;sadb_address_exttype = SADB_EXT_ADDRESS_SRC;

		write(sock, buf, 24);
	}

Reported-by: Alexander Potapenko &lt;glider@google.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers &lt;ebiggers@google.com&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
</entry>
<entry>
<title>af_key: Add lock to key dump</title>
<updated>2017-09-10T20:35:45+00:00</updated>
<author>
<name>Yuejie Shi</name>
<email>syjcnss@gmail.com</email>
</author>
<published>2017-03-31T07:10:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=cf655d393c2a1767c073ea6d1028bacaff4e9f49'/>
<id>urn:sha1:cf655d393c2a1767c073ea6d1028bacaff4e9f49</id>
<content type='text'>
[ Upstream commit 89e357d83c06b6fac581c3ca7f0ee3ae7e67109e ]

A dump may come in the middle of another dump, modifying its dump
structure members. This race condition will result in NULL pointer
dereference in kernel. So add a lock to prevent that race.

Fixes: 83321d6b9872 ("[AF_KEY]: Dump SA/SP entries non-atomically")
Signed-off-by: Yuejie Shi &lt;syjcnss@gmail.com&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
</entry>
<entry>
<title>af_key: Fix sadb_x_ipsecrequest parsing</title>
<updated>2017-09-10T14:59:16+00:00</updated>
<author>
<name>Herbert Xu</name>
<email>herbert@gondor.apana.org.au</email>
</author>
<published>2017-04-13T10:35:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=000a69fc0b07d33a76bc7c8da4371a4bb005504c'/>
<id>urn:sha1:000a69fc0b07d33a76bc7c8da4371a4bb005504c</id>
<content type='text'>
[ Upstream commit 096f41d3a8fcbb8dde7f71379b1ca85fe213eded ]

The parsing of sadb_x_ipsecrequest is broken in a number of ways.
First of all we're not verifying sadb_x_ipsecrequest_len.  This
is needed when the structure carries addresses at the end.  Worse
we don't even look at the length when we parse those optional
addresses.

The migration code had similar parsing code that's better but
it also has some deficiencies.  The length is overcounted first
of all as it includes the header itself.  It also fails to check
the length before dereferencing the sa_family field.

This patch fixes those problems in parse_sockaddr_pair and then
uses it in parse_ipsecrequest.

Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
</entry>
<entry>
<title>xfrm: Oops on error in pfkey_msg2xfrm_state()</title>
<updated>2017-07-31T17:37:52+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2017-06-14T10:34:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ee99c95698470130a10d5145fec30d82b6369140'/>
<id>urn:sha1:ee99c95698470130a10d5145fec30d82b6369140</id>
<content type='text'>
[ Upstream commit 1e3d0c2c70cd3edb5deed186c5f5c75f2b84a633 ]

There are some missing error codes here so we accidentally return NULL
instead of an error pointer.  It results in a NULL pointer dereference.

Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
</entry>
<entry>
<title>xfrm: NULL dereference on allocation failure</title>
<updated>2017-07-31T17:37:51+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2017-06-14T10:35:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1a6224f1a27f6e4946df3037530b0eb8c7e2ba7b'/>
<id>urn:sha1:1a6224f1a27f6e4946df3037530b0eb8c7e2ba7b</id>
<content type='text'>
[ Upstream commit e747f64336fc15e1c823344942923195b800aa1e ]

The default error code in pfkey_msg2xfrm_state() is -ENOBUFS.  We
added a new call to security_xfrm_state_alloc() which sets "err" to zero
so there several places where we can return ERR_PTR(0) if kmalloc()
fails.  The caller is expecting error pointers so it leads to a NULL
dereference.

Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
</entry>
<entry>
<title>xfrm: simplify xfrm_address_t use</title>
<updated>2015-03-31T17:58:35+00:00</updated>
<author>
<name>Jiri Benc</name>
<email>jbenc@redhat.com</email>
</author>
<published>2015-03-29T14:59:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=15e318bdc6dfb82914c82fb7ad00badaa8387d8e'/>
<id>urn:sha1:15e318bdc6dfb82914c82fb7ad00badaa8387d8e</id>
<content type='text'>
In many places, the a6 field is typecasted to struct in6_addr. As the
fields are in union anyway, just add in6_addr type to the union and
get rid of the typecasting.

Modifying the uapi header is okay, the union has still the same size.

Signed-off-by: Jiri Benc &lt;jbenc@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>net: Remove iocb argument from sendmsg and recvmsg</title>
<updated>2015-03-02T18:06:31+00:00</updated>
<author>
<name>Ying Xue</name>
<email>ying.xue@windriver.com</email>
</author>
<published>2015-03-02T07:37:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1b784140474e4fc94281a49e96c67d29df0efbde'/>
<id>urn:sha1:1b784140474e4fc94281a49e96c67d29df0efbde</id>
<content type='text'>
After TIPC doesn't depend on iocb argument in its internal
implementations of sendmsg() and recvmsg() hooks defined in proto
structure, no any user is using iocb argument in them at all now.
Then we can drop the redundant iocb argument completely from kinds of
implementations of both sendmsg() and recvmsg() in the entire
networking stack.

Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Suggested-by: Al Viro &lt;viro@ZenIV.linux.org.uk&gt;
Signed-off-by: Ying Xue &lt;ying.xue@windriver.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>new helper: memcpy_from_msg()</title>
<updated>2014-11-24T09:28:48+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2014-04-07T01:25:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6ce8e9ce5989ae13f493062975304700be86d20e'/>
<id>urn:sha1:6ce8e9ce5989ae13f493062975304700be86d20e</id>
<content type='text'>
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</content>
</entry>
</feed>
