Patch "xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH" has been added to the 6.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 20 Aug 2023 19:33:56 -0400

This is a note to let you know that I've just added the patch titled

    xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH

to the 6.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     xfrm-add-forgotten-nla_policy-for-xfrma_mtimer_thres.patch
and it can be found in the queue-6.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 99f649f4946d38ca94e1cb2402ef61355dccb500
Author: Lin Ma <linma@xxxxxxxxxx>
Date:   Sun Jul 23 15:41:10 2023 +0800

    xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH
    
    [ Upstream commit 5e2424708da7207087934c5c75211e8584d553a0 ]
    
    The previous commit 4e484b3e969b ("xfrm: rate limit SA mapping change
    message to user space") added one additional attribute named
    XFRMA_MTIMER_THRESH and described its type at compat_policy
    (net/xfrm/xfrm_compat.c).
    
    However, the author forgot to also describe the nla_policy at
    xfrma_policy (net/xfrm/xfrm_user.c). Hence, this suppose NLA_U32 (4
    bytes) value can be faked as empty (0 bytes) by a malicious user, which
    leads to 4 bytes overflow read and heap information leak when parsing
    nlattrs.
    
    To exploit this, one malicious user can spray the SLUB objects and then
    leverage this 4 bytes OOB read to leak the heap data into
    x->mapping_maxage (see xfrm_update_ae_params(...)), and leak it to
    userspace via copy_to_user_state_extra(...).
    
    The above bug is assigned CVE-2023-3773. To fix it, this commit just
    completes the nla_policy description for XFRMA_MTIMER_THRESH, which
    enforces the length check and avoids such OOB read.
    
    Fixes: 4e484b3e969b ("xfrm: rate limit SA mapping change message to user space")
    Signed-off-by: Lin Ma <linma@xxxxxxxxxx>
    Reviewed-by: Simon Horman <simon.horman@xxxxxxxxxxxx>
    Reviewed-by: Leon Romanovsky <leonro@xxxxxxxxxx>
    Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 8f74dde4a55f6..f06d6deb58dd4 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -3044,6 +3044,7 @@ const struct nla_policy xfrma_policy[XFRMA_MAX+1] = {
 	[XFRMA_SET_MARK]	= { .type = NLA_U32 },
 	[XFRMA_SET_MARK_MASK]	= { .type = NLA_U32 },
 	[XFRMA_IF_ID]		= { .type = NLA_U32 },
+	[XFRMA_MTIMER_THRESH]   = { .type = NLA_U32 },
 };
 EXPORT_SYMBOL_GPL(xfrma_policy);
 






