xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to wrapping issues. To ensure we are correctly ensuring that the two ESN structures are the same size compare both the overall size as reported by xfrm_replay_state_esn_len() and the internal length are the same. CVE-2017-7184 Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Change-Id: I5e82169063dadb1577f81da0a4e750d11b6aa045

commit: 2337d793bbe91ca875813ace30fa37385f6e78d9 [log] [tgz]
author: Andy Whitcroft <apw@canonical.com> Thu Mar 23 07:45:44 2017 +0000
committer: edwardcw_lin <Edwardcw_Lin@compal.com> Wed Apr 26 11:51:24 2017 +0800
tree: 9ff6f97f0f7042d56a0388673afd344390d28de7
parent: 3a6b11559f2e70b070e7e2aa84b9c46c25749bea [diff]
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index e812e988..a6967ee 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c

@@ -386,7 +386,11 @@
 	up = nla_data(rp);
 	ulen = xfrm_replay_state_esn_len(up);
 
-	if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
+	/* Check the overall length and the internal bitmap length to avoid
+	 * potential overflow. */
+	if (nla_len(rp) < ulen ||
+	    xfrm_replay_state_esn_len(replay_esn) != ulen ||
+	    replay_esn->bmp_len != up->bmp_len)
 		return -EINVAL;
 
 	return 0;
commit	2337d793bbe91ca875813ace30fa37385f6e78d9	[log] [tgz]
author	Andy Whitcroft <apw@canonical.com>	Thu Mar 23 07:45:44 2017 +0000
committer	edwardcw_lin <Edwardcw_Lin@compal.com>	Wed Apr 26 11:51:24 2017 +0800
tree	9ff6f97f0f7042d56a0388673afd344390d28de7
parent	3a6b11559f2e70b070e7e2aa84b9c46c25749bea [diff]