• Eric Biggers's avatar
    af_key: fix buffer overread in verify_address_len() · 06b335cb
    Eric Biggers authored
    If a message sent to a PF_KEY socket ended with one of the extensions
    that takes a 'struct sadb_address' but there were not enough bytes
    remaining in the message for the ->sa_family member of the 'struct
    sockaddr' which is supposed to follow, then verify_address_len() read
    past the end of the message, into uninitialized memory.  Fix it by
    returning -EINVAL in this case.
    
    This bug was found using syzkaller with KMSAN.
    
    Reproducer:
    
    	#include <linux/pfkeyv2.h>
    	#include <sys/socket.h>
    	#include <unistd.h>
    
    	int main()
    	{
    		int sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
    		char buf[24] = { 0 };
    		struct sadb_msg *msg = (void *)buf;
    		struct sadb_address *addr = (void *)(msg + 1);
    
    		msg->sadb_msg_version = PF_KEY_V2;
    		msg->sadb_msg_type = SADB_DELETE;
    		msg->sadb_msg_len = 3;
    		addr->sadb_address_len = 1;
    		addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
    
    		write(sock, buf, 24);
    	}
    Reported-by: default avatarAlexander Potapenko <glider@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
    06b335cb
af_key.c 101 KB