mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-28 06:34:12 +08:00
[IPSEC] XFRM_USER: kernel panic when large security contexts in ACQUIRE
When sending a security context of 50+ characters in an ACQUIRE message, following kernel panic occurred. kernel BUG in xfrm_send_acquire at net/xfrm/xfrm_user.c:1781! cpu 0x3: Vector: 700 (Program Check) at [c0000000421bb2e0] pc: c00000000033b074: .xfrm_send_acquire+0x240/0x2c8 lr: c00000000033b014: .xfrm_send_acquire+0x1e0/0x2c8 sp: c0000000421bb560 msr: 8000000000029032 current = 0xc00000000fce8f00 paca = 0xc000000000464b00 pid = 2303, comm = ping kernel BUG in xfrm_send_acquire at net/xfrm/xfrm_user.c:1781! enter ? for help 3:mon> t [c0000000421bb650] c00000000033538c .km_query+0x6c/0xec [c0000000421bb6f0] c000000000337374 .xfrm_state_find+0x7f4/0xb88 [c0000000421bb7f0] c000000000332350 .xfrm_tmpl_resolve+0xc4/0x21c [c0000000421bb8d0] c0000000003326e8 .xfrm_lookup+0x1a0/0x5b0 [c0000000421bba00] c0000000002e6ea0 .ip_route_output_flow+0x88/0xb4 [c0000000421bbaa0] c0000000003106d8 .ip4_datagram_connect+0x218/0x374 [c0000000421bbbd0] c00000000031bc00 .inet_dgram_connect+0xac/0xd4 [c0000000421bbc60] c0000000002b11ac .sys_connect+0xd8/0x120 [c0000000421bbd90] c0000000002d38d0 .compat_sys_socketcall+0xdc/0x214 [c0000000421bbe30] c00000000000869c syscall_exit+0x0/0x40 --- Exception: c00 (System Call) at 0000000007f0ca9c SP (fc0ef8f0) is in userspace We are using size of security context from xfrm_policy to determine how much space to alloc skb and then putting security context from xfrm_state into skb. Should have been using size of security context from xfrm_state to alloc skb. Following fix does that Signed-off-by: Joy Latten <latten@austin.ibm.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
279e172a58
commit
661697f728
@ -272,9 +272,8 @@ static int attach_encap_tmpl(struct xfrm_encap_tmpl **encapp, struct rtattr *u_a
|
||||
}
|
||||
|
||||
|
||||
static inline int xfrm_user_sec_ctx_size(struct xfrm_policy *xp)
|
||||
static inline int xfrm_user_sec_ctx_size(struct xfrm_sec_ctx *xfrm_ctx)
|
||||
{
|
||||
struct xfrm_sec_ctx *xfrm_ctx = xp->security;
|
||||
int len = 0;
|
||||
|
||||
if (xfrm_ctx) {
|
||||
@ -2170,7 +2169,7 @@ static int xfrm_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *xt,
|
||||
|
||||
len = RTA_SPACE(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr);
|
||||
len += NLMSG_SPACE(sizeof(struct xfrm_user_acquire));
|
||||
len += RTA_SPACE(xfrm_user_sec_ctx_size(xp));
|
||||
len += RTA_SPACE(xfrm_user_sec_ctx_size(x->security));
|
||||
#ifdef CONFIG_XFRM_SUB_POLICY
|
||||
len += RTA_SPACE(sizeof(struct xfrm_userpolicy_type));
|
||||
#endif
|
||||
@ -2280,7 +2279,7 @@ static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, struct km_eve
|
||||
|
||||
len = RTA_SPACE(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr);
|
||||
len += NLMSG_SPACE(sizeof(struct xfrm_user_polexpire));
|
||||
len += RTA_SPACE(xfrm_user_sec_ctx_size(xp));
|
||||
len += RTA_SPACE(xfrm_user_sec_ctx_size(xp->security));
|
||||
#ifdef CONFIG_XFRM_SUB_POLICY
|
||||
len += RTA_SPACE(sizeof(struct xfrm_userpolicy_type));
|
||||
#endif
|
||||
|
Loading…
Reference in New Issue
Block a user