Thread (7 messages) 7 messages, 3 authors, 2025-01-31

Re: [PATCH net] xfrm: fix integer overflow in xfrm_replay_state_esn_len()

From: Simon Horman <horms@kernel.org>
Date: 2025-01-22 12:39:41
Also in: kernel-janitors, lkml

On Tue, Jan 21, 2025 at 02:16:01PM +0300, Dan Carpenter wrote:
The problem is that "replay_esn->bmp_len" comes from the user and it's
a u32.  The xfrm_replay_state_esn_len() function also returns a u32.
So if we choose a ->bmp_len which very high then the total will be
more than UINT_MAX and value will be truncated when we return.  The
returned value will be smaller than expected causing problems in the
caller.

To fix this:
1) Use size_add() and size_mul().  This change is necessary for 32bit
   systems.
2) Change the type of xfrm_replay_state_esn_len() and related variables
   from u32 to size_t.
3) Remove the casts to (int).  The size should never be negative.
   Generally, values which come from size_add/mul() should stay as type
   size_t and not be truncated to user fewer than all the bytes in a
   unsigned long.

Cc: stable@vger.kernel.org
Fixes: 9736acf395d3 ("xfrm: Add basic infrastructure to support IPsec extended sequence numbers")
Signed-off-by: Dan Carpenter <redacted>
---
The one caller that I didn't modify was xfrm_sa_len().  That's a bit
complicated and also I'm kind of hoping that we don't handle user
controlled data in that function?  The place where we definitely are
handling user data is in xfrm_alloc_replay_state_esn() and this patch
fixes that.
Yes, that is a bit "complex".

FWIIW, my opinion is that your patch is correct and it improves things -
even if the end result may still have imperfections. And for that reason
I'm in favour of it being accepted.

Reviewed-by: Simon Horman <horms@kernel.org>
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help