Xin Long f5a3d5c320 xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire ... commit a1a7e3a36e01ca6e67014f8cf673cb8e47be5550 upstream. Without doing verify_sec_ctx_len() check in xfrm_add_acquire(), it may be out-of-bounds to access uctx->ctx_str with uctx->ctx_len, as noticed by syz: BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x237/0x430 Read of size 768 at addr ffff8880123be9b4 by task syz-executor.1/11650 Call Trace: dump_stack+0xe8/0x16e print_address_description.cold.3+0x9/0x23b kasan_report.cold.4+0x64/0x95 memcpy+0x1f/0x50 selinux_xfrm_alloc_user+0x237/0x430 security_xfrm_policy_alloc+0x5c/0xb0 xfrm_policy_construct+0x2b1/0x650 xfrm_add_acquire+0x21d/0xa10 xfrm_user_rcv_msg+0x431/0x6f0 netlink_rcv_skb+0x15a/0x410 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x50e/0x6a0 netlink_sendmsg+0x8ae/0xd40 sock_sendmsg+0x133/0x170 ___sys_sendmsg+0x834/0x9a0 __sys_sendmsg+0x100/0x1e0 do_syscall_64+0xe5/0x660 entry_SYSCALL_64_after_hwframe+0x6a/0xdf So fix it by adding the missing verify_sec_ctx_len check there. Fixes: 980ebd25794f ("[IPSEC]: Sync series - acquire insert") Reported-by: Hangbin Liu <liuhangbin@gmail.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2020-04-07 14:24:27 +02:00
..
6lowpan	6lowpan: Off by one handling ->nexthdr	2020-04-07 13:41:33 +02:00
9p	9p/virtio: Add cleanup path in p9_virtio_init	2020-04-06 20:04:29 +02:00
802	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30
8021q	vlan: fix memory leak in vlan_dev_set_egress_priority	2020-04-07 13:29:16 +02:00
appletalk	appletalk: Set error code if register_snap_client failed	2020-04-07 12:46:15 +02:00
atm	net: atm: Fix potential Spectre v1 vulnerabilities	2020-04-06 15:28:29 +02:00
ax25	ax25: enforce CAP_NET_RAW for raw sockets	2020-04-07 07:37:32 +02:00
batman-adv	batman-adv: Don't schedule OGM for disabled interface	2020-04-07 14:13:30 +02:00
bluetooth	Bluetooth: delete a stray unlock	2020-04-07 13:24:53 +02:00
bridge	netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule	2020-04-07 13:41:52 +02:00
caif	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30
can	can: purge socket error queue on sock destruct	2020-04-06 19:16:48 +02:00
ceph	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30
core	net: fib_rules: Correctly set table field when table number exceeds 8 bits	2020-04-07 14:04:28 +02:00
dcb	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30
dccp	dccp: Fix memleak in __feat_register_sp	2020-04-07 13:36:40 +02:00
decnet	decnet: fix DN_IFREQ_SIZE	2020-04-07 12:42:56 +02:00
dns_resolver	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30
dsa	net: dsa: Fix duplicate frames flooded by learning	2020-04-07 14:23:26 +02:00
ethernet	net: add annotations on hh->hh_len lockless accesses	2020-04-07 13:25:04 +02:00
hsr	hsr: set .netnsok flag	2020-04-07 14:23:42 +02:00
ieee802154	nl802154: add missing attribute validation for dev_type	2020-04-07 14:11:06 +02:00
ipv4	vti[6]: fix packet tx through bpf_redirect() in XinY cases	2020-04-07 14:24:23 +02:00
ipv6	vti[6]: fix packet tx through bpf_redirect() in XinY cases	2020-04-07 14:24:23 +02:00
ipx	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30
irda	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30
iucv	net/af_iucv: always register net_device notifier	2020-04-07 13:42:16 +02:00
key	xfrm: clean up xfrm protocol checks	2020-04-06 21:34:53 +02:00
l2tp	compat_ioctl: pppoe: fix PPPOEIOCSFWD handling	2020-04-06 20:28:29 +02:00
l3mdev	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30
lapb	lapb: fixed leak of control-blocks.	2020-04-06 19:03:42 +02:00
llc	llc: fix sk_buff refcounting in llc_conn_state_process()	2020-04-07 13:43:36 +02:00
mac80211	mac80211: mark station unauthorized before key removal	2020-04-07 14:24:18 +02:00
mac802154	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30
mpls	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30
mptcp	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30
ncm	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30
netfilter	netfilter: cthelper: add missing attribute validation for cthelper	2020-04-07 14:11:51 +02:00
netlabel	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30
netlink	net: netlink: cap max groups which will be considered in netlink_bind()	2020-04-07 14:04:58 +02:00
netrom	netrom: hold sock when setting skb->destructor	2020-04-06 20:05:22 +02:00
nfc	nfc: add missing attribute validation for vendor subcommand	2020-04-07 14:11:13 +02:00
openvswitch	openvswitch: remove another BUG_ON()	2020-04-07 12:43:36 +02:00
packet	packet: fix data-race in fanout_flow_is_huge()	2020-04-07 13:43:55 +02:00
phonet	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30
rds	net/rds: Fix 'ib_evt_handler_call' element in 'rds_ib_stat_names'	2020-04-07 13:43:22 +02:00
rfkill	rfkill: Fix incorrect check to avoid NULL pointer dereference	2020-04-07 13:28:52 +02:00
rose	net: rose: fix a possible stack overflow	2020-04-06 12:57:06 +02:00
rxrpc	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30
sched	net_sched: keep alloc_hash updated after hash allocation	2020-04-07 14:23:30 +02:00
sctp	sctp: move the format error check out of __sctp_sf_do_9_1_abort	2020-04-07 14:04:36 +02:00
sunrpc	sunrpc: expiry_time should be seconds not timeval	2020-04-07 13:50:16 +02:00
switchdev	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30
tipc	tipc: set sysctl_tipc_rmem and named_timeout right range	2020-04-07 13:41:27 +02:00
unix	net: fix warning in af_unix	2020-04-07 12:34:56 +02:00
vmw_vsock	VSOCK: bind to random port for VMADDR_PORT_ANY	2020-04-07 12:41:40 +02:00
wimax	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30
wireless	nl80211: add missing attribute validation for channel switch	2020-04-07 14:11:50 +02:00
x25	net/x25: fix nonblocking connect	2020-04-07 13:45:13 +02:00
xfrm	xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire	2020-04-07 14:24:27 +02:00
compat.c	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30
Kconfig	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30
Makefile	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30
socket.c	compat_ioctl: handle SIOCOUTQNSD	2020-04-07 13:37:06 +02:00
sysctl_net.c	A750FXXU4CTBC	2020-03-27 21:51:54 +05:30