• Sabrina Dubroca's avatar
    xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY · e8c2adcc
    Sabrina Dubroca authored
    commit 9b3eb541 upstream.
    
    When CONFIG_XFRM_SUB_POLICY=y, xfrm_dst stores a copy of the flowi for
    that dst. Unfortunately, the code that allocates and fills this copy
    doesn't care about what type of flowi (flowi, flowi4, flowi6) gets
    passed. In multiple code paths (from raw_sendmsg, from TCP when
    replying to a FIN, in vxlan, geneve, and gre), the flowi that gets
    passed to xfrm is actually an on-stack flowi4, so we end up reading
    stuff from the stack past the end of the flowi4 struct.
    
    Since xfrm_dst->origin isn't used anywhere following commit
    ca116922 ("xfrm: Eliminate "fl" and "pol" args to
    xfrm_bundle_ok()."), just get rid of it.  xfrm_dst->partner isn't used
    either, so get rid of that too.
    
    Fixes: 9d6ec938 ("ipv4: Use flowi4 in public route lookup interfaces.")
    Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
    Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
    [bwh: Backported to 3.2: deleted code is slightly different]
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    e8c2adcc
xfrm_policy.c 70.3 KB