Patch "xfrm: validate new SA's prefixlen using SA family when sel.family is unset" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 26 Oct 2024 03:40:06 -0400

This is a note to let you know that I've just added the patch titled

    xfrm: validate new SA's prefixlen using SA family when sel.family is unset

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     xfrm-validate-new-sa-s-prefixlen-using-sa-family-whe.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 2509ee204c957aeb677d90083f814e8963ca813e
Author: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx>
Date:   Tue Oct 1 18:48:14 2024 +0200

    xfrm: validate new SA's prefixlen using SA family when sel.family is unset
    
    [ Upstream commit 3f0ab59e6537c6a8f9e1b355b48f9c05a76e8563 ]
    
    This expands the validation introduced in commit 07bf7908950a ("xfrm:
    Validate address prefix lengths in the xfrm selector.")
    
    syzbot created an SA with
        usersa.sel.family = AF_UNSPEC
        usersa.sel.prefixlen_s = 128
        usersa.family = AF_INET
    
    Because of the AF_UNSPEC selector, verify_newsa_info doesn't put
    limits on prefixlen_{s,d}. But then copy_from_user_state sets
    x->sel.family to usersa.family (AF_INET). Do the same conversion in
    verify_newsa_info before validating prefixlen_{s,d}, since that's how
    prefixlen is going to be used later on.
    
    Reported-by: syzbot+cc39f136925517aed571@xxxxxxxxxxxxxxxxxxxxxxxxx
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx>
    Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 4328e81ea6a31..12e9d0e703e70 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -201,6 +201,7 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
 {
 	int err;
 	u8 sa_dir = attrs[XFRMA_SA_DIR] ? nla_get_u8(attrs[XFRMA_SA_DIR]) : 0;
+	u16 family = p->sel.family;
 
 	err = -EINVAL;
 	switch (p->family) {
@@ -221,7 +222,10 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
 		goto out;
 	}
 
-	switch (p->sel.family) {
+	if (!family && !(p->flags & XFRM_STATE_AF_UNSPEC))
+		family = p->family;
+
+	switch (family) {
 	case AF_UNSPEC:
 		break;
 







