[PATCH v2 0/2] af_key: Fix for sadb_key memcpy read overrun

From: Kevin Easton
Date: Sat Apr 07 2018 - 11:40:30 EST

Next message: Kevin Easton: "[PATCH v2 1/2] af_key: Always verify length of provided sadb_key"
Previous message: Peter Zijlstra: "Re: [PATCH v2] locking/hung_task: Show all hung tasks before panic"
Next in thread: Kevin Easton: "[PATCH v2 1/2] af_key: Always verify length of provided sadb_key"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

As found by syzbot, af_key does not properly validate the key length in
sadb_key messages from userspace. This can result in copying from beyond
the end of the sadb_key part of the message, or indeed beyond the end of
the entire packet.

Both these patches apply cleanly to ipsec-next. Based on Steffen's
feedback I have re-ordered them so that the fix only is in patch 1, which
I would suggest is also a stable tree candidate, whereas patch 2 is a
cleanup only.

Kevin Easton (2):
af_key: Always verify length of provided sadb_key
af_key: Use DIV_ROUND_UP() instead of open-coded equivalent

net/key/af_key.c | 58 ++++++++++++++++++++++++++++++++++++++++----------------
1 file changed, 42 insertions(+), 16 deletions(-)

--
2.8.1

Next message: Kevin Easton: "[PATCH v2 1/2] af_key: Always verify length of provided sadb_key"
Previous message: Peter Zijlstra: "Re: [PATCH v2] locking/hung_task: Show all hung tasks before panic"
Next in thread: Kevin Easton: "[PATCH v2 1/2] af_key: Always verify length of provided sadb_key"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]