Commit bc705996 authored May 05, 2017 by Steffen Klassert Committed by Greg Kroah-Hartman Apr 13, 2018

af_key: Fix slab-out-of-bounds in pfkey_compile_policy.




[ Upstream commit d90c902449a7561f1b1d58ba5a0d11728ce8b0b2 ]

The sadb_x_sec_len is stored in the unit 'byte divided by eight'.
So we have to multiply this value by eight before we can do
size checks. Otherwise we may get a slab-out-of-bounds when
we memcpy the user sec_ctx.

Fixes: df71837d ("[LSM-IPSec]: Security association restriction.")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 51188ac2

net/key/af_key.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -3301,7 +3301,7 @@ static struct xfrm_policy pfkey_compile_policy(struct sock sk, int opt,
		p += pol->sadb_x_policy_len*8;
		sec_ctx = (struct sadb_x_sec_ctx *)p;
		if (len < pol->sadb_x_policy_len*8 +
		sec_ctx->sadb_x_sec_len) {
		sec_ctx->sadb_x_sec_len*8) {
		*dir = -EINVAL;
		goto out;
		}