Re: [PATCH net] net/xfrm: Refuse to allocate xfrm_state with SPI value 0

From: Steffen Klassert <steffen.klassert@secunet.com>
Date: 2025-09-22 07:08:23
Also in: linux-kernel-mentees, lkml

On Sun, Sep 21, 2025 at 05:27:01AM +0300, Nikola Z. Ivanov wrote:

Reported by syzkaller: "KASAN: slab-use-after-free Read in xfrm_alloc_spi"

Before commit 94f39804d891 ("xfrm: Duplicate SPI Handling")
xfrm_alloc_spi would report spi=0 as unavailable.
Add this behaviour back by adding 1 to the "low" value when it is passed as 0.
Allocating xfrm_state with spi=0 leads to UAF or CPU stall.

Fixes: 94f39804d891 ("xfrm: Duplicate SPI Handling")
Signed-off-by: Nikola Z. Ivanov <redacted>

This is already fixed in the ipsec tree by

commit cd8ae32e4e46 ("xfrm: xfrm_alloc_spi shouldn't use 0 as SPI")

Thanks a lot anyway!

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help