xfrm: validate new SA's prefixlen using SA family when sel.family is unset

PlaidCat · PlaidCat · commit f3f1f5da799a · 2024-12-19T13:34:19.000-05:00
jira LE-2177 cve CVE-2024-50142 Rebuild_History Non-Buildable kernel-5.14.0-503.19.1.el9_5 commit-author Sabrina Dubroca <sd@queasysnail.net> commit 3f0ab59 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-503.19.1.el9_5/3f0ab59e.failed This expands the validation introduced in commit 07bf790 ("xfrm: Validate address prefix lengths in the xfrm selector.") syzbot created an SA with usersa.sel.family = AF_UNSPEC usersa.sel.prefixlen_s = 128 usersa.family = AF_INET Because of the AF_UNSPEC selector, verify_newsa_info doesn't put limits on prefixlen_{s,d}. But then copy_from_user_state sets x->sel.family to usersa.family (AF_INET). Do the same conversion in verify_newsa_info before validating prefixlen_{s,d}, since that's how prefixlen is going to be used later on. Reported-by: syzbot+cc39f136925517aed571@syzkaller.appspotmail.com Fixes: 1da177e ("Linux-2.6.12-rc2") Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> (cherry picked from commit 3f0ab59) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # net/xfrm/xfrm_user.c
diff --git a/ciq/ciq_backports/kernel-5.14.0-503.19.1.el9_5/3f0ab59e.failed b/ciq/ciq_backports/kernel-5.14.0-503.19.1.el9_5/3f0ab59e.failed
@@ -0,0 +1,51 @@
+xfrm: validate new SA's prefixlen using SA family when sel.family is unset
+
+jira LE-2177
+cve CVE-2024-50142
+Rebuild_History Non-Buildable kernel-5.14.0-503.19.1.el9_5
+commit-author Sabrina Dubroca <sd@queasysnail.net>
+commit 3f0ab59e6537c6a8f9e1b355b48f9c05a76e8563
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-503.19.1.el9_5/3f0ab59e.failed
+
+This expands the validation introduced in commit 07bf7908950a ("xfrm:
+Validate address prefix lengths in the xfrm selector.")
+
+syzbot created an SA with
+    usersa.sel.family = AF_UNSPEC
+    usersa.sel.prefixlen_s = 128
+    usersa.family = AF_INET
+
+Because of the AF_UNSPEC selector, verify_newsa_info doesn't put
+limits on prefixlen_{s,d}. But then copy_from_user_state sets
+x->sel.family to usersa.family (AF_INET). Do the same conversion in
+verify_newsa_info before validating prefixlen_{s,d}, since that's how
+prefixlen is going to be used later on.
+
+	Reported-by: syzbot+cc39f136925517aed571@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+	Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+	Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+(cherry picked from commit 3f0ab59e6537c6a8f9e1b355b48f9c05a76e8563)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	net/xfrm/xfrm_user.c
+diff --cc net/xfrm/xfrm_user.c
+index a9f7d204e6df,8d06a37adbd9..000000000000
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@@ -176,6 -200,8 +176,11 @@@ static int verify_newsa_info(struct xfr
+  			     struct netlink_ext_ack *extack)
+  {
+  	int err;
+++<<<<<<< HEAD
+++=======
++ 	u8 sa_dir = attrs[XFRMA_SA_DIR] ? nla_get_u8(attrs[XFRMA_SA_DIR]) : 0;
++ 	u16 family = p->sel.family;
+++>>>>>>> 3f0ab59e6537 (xfrm: validate new SA's prefixlen using SA family when sel.family is unset)
+  
+  	err = -EINVAL;
+  	switch (p->family) {
+* Unmerged path net/xfrm/xfrm_user.c
