[Devel,RHEL7,COMMIT] ms/xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window

Submitted by Konstantin Khorenko on March 30, 2017, 12:14 p.m.


Message ID 201703301214.v2UCEmon018019@finist_cl7.x64_64.work.ct
State New
Series "ms/xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder"
Headers show

Commit Message

Konstantin Khorenko March 30, 2017, 12:14 p.m.
The commit is pushed to "branch-rh7-3.10.0-514.10.2.vz7.29.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.10.2.vz7.29.8
commit 8092d77170860995125b6b686e30b82007adaa00
Author: Andy Whitcroft <apw@canonical.com>
Date:   Wed Mar 22 07:29:31 2017 +0000

    ms/xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
    When a new xfrm state is created during an XFRM_MSG_NEWSA call we
    validate the user supplied replay_esn to ensure that the size is valid
    and to ensure that the replay_window size is within the allocated
    buffer.  However later it is possible to update this replay_esn via a
    XFRM_MSG_NEWAE call.  There we again validate the size of the supplied
    buffer matches the existing state and if so inject the contents.  We do
    not at this point check that the replay_window is within the allocated
    memory.  This leads to out-of-bounds reads and writes triggered by
    netlink packets.  This leads to memory corruption and the potential for
    priviledge escalation.
    We already attempt to validate the incoming replay information in
    xfrm_new_ae() via xfrm_replay_verify_len().  This confirms that the user
    is not trying to change the size of the replay state buffer which
    includes the replay_esn.  It however does not check the replay_window
    remains within that buffer.  Add validation of the contained
    Signed-off-by: Andy Whitcroft <apw@canonical.com>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    (cherry picked from commit 677e806da4d916052585301785d847c3b3e6186a)
    Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
 net/xfrm/xfrm_user.c | 3 +++
 1 file changed, 3 insertions(+)

Patch hide | download patch | download mbox

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index af5dac6..3ee8c69 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -390,6 +390,9 @@  static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
 	if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
 		return -EINVAL;
+	if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
+		return -EINVAL;
 	return 0;