From nobody Fri Dec 19 21:48:51 2025
Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com
 [209.85.221.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D5D681ABED7
	for <linux-kernel@vger.kernel.org>; Tue, 21 Jan 2025 11:16:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.54
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1737458168; cv=none;
 b=H70Vt3uncsh90VYAmaeT0luqn41LC5P/GmkUD9DH3RT9PlH1jWdyktfQW+2VFqDZ87eTLBsLn0ikqLPJyk0GkUtgi/c8YjGLts6S3Fb8I7QJ/lpGyPBLk7z9HmsLHop6zibsW9R3dvj2tczK715Z+jFBVD/FThdLE+T3XtGBwF4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1737458168; c=relaxed/simple;
	bh=8NXyXgmj72dOMTLLbd9mQTnaEflcGG11z6lNzHOYKVY=;
	h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type:
	 Content-Disposition;
 b=oB7ej2LXdvF8gf41FqYHxdG0d5zsgOMQc5RtmmxQxbIYl6zgNoTVM6/e4+N7NmhkD7ZjzfAg04jIxhD8fZZHr+imiMcaVATppQqkBKfudRvzKaQ13MPYDFXt78dp6yK/RVFmfiZEQUENsK7mas/rALlGQq1BQvmD0+DW95fyrHw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org;
 spf=pass smtp.mailfrom=linaro.org;
 dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org
 header.b=rxnD8b2s; arc=none smtp.client-ip=209.85.221.54
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linaro.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org
 header.b="rxnD8b2s"
Received: by mail-wr1-f54.google.com with SMTP id
 ffacd0b85a97d-385ddcfc97bso4490459f8f.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 21 Jan 2025 03:16:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1737458165; x=1738062965;
 darn=vger.kernel.org;
        h=content-disposition:mime-version:message-id:subject:cc:to:from:date
         :from:to:cc:subject:date:message-id:reply-to;
        bh=eQ9/vKCvteNP1p+2IIytP3er3wI3McGb3ig0DvAbV/A=;
        b=rxnD8b2sFy5BtQlee0FZhFWmMH5kSbc/m7enZK7/ywjRzVPMq3b+w3megC7VMNGKOH
         OC9R5rxae8hnECyX8b5pUvZHUoRUOU+PvYOqy2+e5UIxlsdatQCT8JldTH4noKFmr46r
         pcpG+J9x4JFDe62mvuU+Csdh4iwMVvfkbGL/aVOJugcaBvmhijeI8g7Arl6bhfUMn4nW
         c3mq6XuFiVHBtpgTFmyhgox03sgG8YgswRiz95zbzI0PbOXWmud5feZVkKDe5Q3pJc9/
         ZblwLtgzea4YuC1PpPMYWe5TjWn+JqoNIJwLHPvG90s6/56qqcqfRYpLJ1+sIMO8ofL6
         3z7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1737458165; x=1738062965;
        h=content-disposition:mime-version:message-id:subject:cc:to:from:date
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=eQ9/vKCvteNP1p+2IIytP3er3wI3McGb3ig0DvAbV/A=;
        b=E47QVGN6/Ag/EjY1/vj7o0+lOdDGwQ+0OmFjbXlQKz1gRyg86GrF2qzxNEGNab0ME+
         4/IK7V/cMmn2axyl24hsyYabi+itYP40H55LnDD+cjxhfTud1wXx7bRQCrTFvP68WNZu
         ehnd7JagssJqM59LxL/u67dmghFwHs95Rnb0DmUTe9ref3N1c/9ZMKKUfP3pI+Yri4bP
         4ois0cfUsGGrmFBbEPvNhM67iDk75ptE2kH+VE97HvnXgEQEfuavvewDYm0aEwiKZVN9
         XaL4qJEOugKTypNyCLJHixY/PTjeRouuXBlegLGQbr0OOHPXyYyoP++Q04fnKJ3itNP4
         dZlA==
X-Forwarded-Encrypted: i=1;
 AJvYcCUbaTt078AzlSRw43WODQFbWQxYHyR6CAtPBf8YTvGw7yiMTyWLvkEYettUFPzGay3IvORHwm15cL5RWmE=@vger.kernel.org
X-Gm-Message-State: AOJu0Ywe/2Y8tB+DJra8SnSCiVd+asL7kJeWpUmscyuBaXqPVC4Z1qIA
	FR9BsiXDn8266mzlV+nuP+j63gfofrbHTo69//69K/mo3dP9dnKNDIvGaVI5S7A=
X-Gm-Gg: ASbGnctRYuRQwEgxhOm3rLoW9KUcIIG3GKWjdQOObpJX3p/JyPnQ11QGhAu0HPVr1Ao
	1KyPUkbKuYHX26RIqGvJOTPsXF5OfOoMcNSDD5iDtGdrtfaqfRnoXkisJoiVIK7H/buoiV1RnJI
	qUT8Fm7YR6fhgMdaHELCJ+N0KKzWec5ekCjCw7hj74d8RV/gQMuEtsfGj0XLlsj3qep9gX5Lzmn
	mktIi7ZmQ7DvI0ixcZ/sg3/BrYY+5/vB+pkSNbpshtz5F7WABGXSZV1ahxkAUolrjes6w/vqaw=
X-Google-Smtp-Source: 
 AGHT+IFu5iwWBJlfMKb2qqPgPYEgPFg5JRSCPVWEsRxn/dai+wPHA1OMBL4MUFjUwRffREHT3Asyhw==
X-Received: by 2002:adf:e404:0:b0:38b:f074:214c with SMTP id
 ffacd0b85a97d-38bf5674039mr9683425f8f.30.1737458165132;
        Tue, 21 Jan 2025 03:16:05 -0800 (PST)
Received: from localhost ([196.207.164.177])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-38bf322aa0asm13269386f8f.50.2025.01.21.03.16.04
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 21 Jan 2025 03:16:04 -0800 (PST)
Date: Tue, 21 Jan 2025 14:16:01 +0300
From: Dan Carpenter <dan.carpenter@linaro.org>
To: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [PATCH net] xfrm: fix integer overflow in xfrm_replay_state_esn_len()
Message-ID: <018ecf13-e371-4b39-8946-c7510baf916b@stanley.mountain>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Disposition: inline
X-Mailer: git-send-email haha only kidding
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The problem is that "replay_esn->bmp_len" comes from the user and it's
a u32.  The xfrm_replay_state_esn_len() function also returns a u32.
So if we choose a ->bmp_len which very high then the total will be
more than UINT_MAX and value will be truncated when we return.  The
returned value will be smaller than expected causing problems in the
caller.

To fix this:
1) Use size_add() and size_mul().  This change is necessary for 32bit
   systems.
2) Change the type of xfrm_replay_state_esn_len() and related variables
   from u32 to size_t.
3) Remove the casts to (int).  The size should never be negative.
   Generally, values which come from size_add/mul() should stay as type
   size_t and not be truncated to user fewer than all the bytes in a
   unsigned long.

Cc: stable@vger.kernel.org
Fixes: 9736acf395d3 ("xfrm: Add basic infrastructure to support IPsec exten=
ded sequence numbers")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Simon Horman <horms@kernel.org>
---
The one caller that I didn't modify was xfrm_sa_len().  That's a bit
complicated and also I'm kind of hoping that we don't handle user
controlled data in that function?  The place where we definitely are
handling user data is in xfrm_alloc_replay_state_esn() and this patch
fixes that.

 include/net/xfrm.h   |  4 ++--
 net/xfrm/xfrm_user.c | 10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index ed4b83696c77..0a42614d7840 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -1981,9 +1981,9 @@ static inline unsigned int xfrm_alg_auth_len(const st=
ruct xfrm_algo_auth *alg)
 	return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
 }
=20
-static inline unsigned int xfrm_replay_state_esn_len(struct xfrm_replay_st=
ate_esn *replay_esn)
+static inline size_t xfrm_replay_state_esn_len(struct xfrm_replay_state_es=
n *replay_esn)
 {
-	return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
+	return size_add(sizeof(*replay_esn), size_mul(replay_esn->bmp_len, sizeof=
(__u32)));
 }
=20
 #ifdef CONFIG_XFRM_MIGRATE
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 08c6d6f0179f..4bfa72547dab 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -151,7 +151,7 @@ static inline int verify_replay(struct xfrm_usersa_info=
 *p,
 		return -EINVAL;
 	}
=20
-	if (nla_len(rt) < (int)xfrm_replay_state_esn_len(rs) &&
+	if (nla_len(rt) < xfrm_replay_state_esn_len(rs) &&
 	    nla_len(rt) !=3D sizeof(*rs)) {
 		NL_SET_ERR_MSG(extack, "ESN attribute is too short to fit the full bitma=
p length");
 		return -EINVAL;
@@ -681,7 +681,7 @@ static inline int xfrm_replay_verify_len(struct xfrm_re=
play_state_esn *replay_es
 					 struct netlink_ext_ack *extack)
 {
 	struct xfrm_replay_state_esn *up;
-	unsigned int ulen;
+	size_t ulen;
=20
 	if (!replay_esn || !rp)
 		return 0;
@@ -691,7 +691,7 @@ static inline int xfrm_replay_verify_len(struct xfrm_re=
play_state_esn *replay_es
=20
 	/* Check the overall length and the internal bitmap length to avoid
 	 * potential overflow. */
-	if (nla_len(rp) < (int)ulen) {
+	if (nla_len(rp) < ulen) {
 		NL_SET_ERR_MSG(extack, "ESN attribute is too short");
 		return -EINVAL;
 	}
@@ -719,14 +719,14 @@ static int xfrm_alloc_replay_state_esn(struct xfrm_re=
play_state_esn **replay_esn
 				       struct nlattr *rta)
 {
 	struct xfrm_replay_state_esn *p, *pp, *up;
-	unsigned int klen, ulen;
+	size_t klen, ulen;
=20
 	if (!rta)
 		return 0;
=20
 	up =3D nla_data(rta);
 	klen =3D xfrm_replay_state_esn_len(up);
-	ulen =3D nla_len(rta) >=3D (int)klen ? klen : sizeof(*up);
+	ulen =3D nla_len(rta) >=3D klen ? klen : sizeof(*up);
=20
 	p =3D kzalloc(klen, GFP_KERNEL);
 	if (!p)
--=20
2.45.2