Google Git
Sign in
android / kernel / common / b6ded699b0d4a5f818b8a6b54d5b605abc212c1d
commitb6ded699b0d4a5f818b8a6b54d5b605abc212c1d[log] [tgz]
authorVladis Dronov <vdronov@redhat.com>Wed Aug 02 19:50:14 2017 +0200
committerTodd Kjos <tkjos@google.com>Mon Dec 04 15:48:24 2017 -0800
tree69a7ce78521e3cca1b01b367ed99b3d5d880bf6d
parent34803e7c1c92f53603f6aa11235915afc2589290 [diff]
xfrm: policy: check policy direction value

commit 7bab09631c2a303f87a7eb7e3d69e888673b9b7e upstream.

The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used
as an array index. This can lead to an out-of-bound access, kernel lockup and
DoS. Add a check for the 'dir' value.

This fixes CVE-2017-11600.

References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928
Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
Reported-by: "bo Zhang" <zhangbo5891001@gmail.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 file changed
tree: 69a7ce78521e3cca1b01b367ed99b3d5d880bf6d
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. build.config.goldfish.arm
  29. build.config.goldfish.arm64
  30. build.config.goldfish.mips
  31. build.config.goldfish.mips64
  32. build.config.goldfish.x86
  33. build.config.goldfish.x86_64
  34. COPYING
  35. CREDITS
  36. Kbuild
  37. Kconfig
  38. MAINTAINERS
  39. Makefile
  40. README
  41. REPORTING-BUGS