Re: af_key: pfkey_dump needs parameter validation

[Mark Salyzyn]

On 7/22/20 2:33 AM, Steffen Klassert wrote:
> On Tue, Jul 21, 2020 at 06:23:54AM -0700, Mark Salyzyn wrote:
> > In pfkey_dump() dplen and splen can both be specified to access the
> > xfrm_address_t structure out of bounds in__xfrm_state_filter_match()
> > when it calls addr_match() with the indexes.  Return EINVAL if either
> > are out of range.
> >
> > Signed-off-by: Mark Salyzyn <salyzyn@xxxxxxxxxxx>
> > Cc: netdev@xxxxxxxxxxxxxxx
> > Cc: linux-kernel@xxxxxxxxxxxxxxx
> > Cc: kernel-team@xxxxxxxxxxx
> > ---
> > Should be back ported to the stable queues because this is a out of
> > bounds access.
> Please do a v2 and add a proper 'Fixes' tag if this is a fix that
> needs to be backported.
>
> Thanks!

Confused because this code was never right? From 2008 there was a 
rewrite that instantiated this fragment of code so that it could handle 
continuations for overloaded receive queues, but it was not right before 
the adjustment.

Fixes: 83321d6b9872b94604e481a79dc2c8acbe4ece31 ("[AF_KEY]: Dump SA/SP 
entries non-atomically")

that is reaching back more than 12 years and the blame is poorly aimed 
AFAIK.

Sincerely -- Mark Salyzyn