net: key: Fix address family validation and integer overflow in set_ipsecrequest

[PATCHSET IPSec 0/3] net: key: Fix address family validation and integer overflow in set_ipsecrequest

Posted by clingfei 1 month, 1 week ago

From: Cheng Lingfei <clf700383@gmail.com>

Hi,

This patchset addresses a security issue in the PF_KEYv2 implementation where
improper address family validation could lead to integer overflows and buffer
calculation errors in the set_ipsecrequest() function.

The core problem stems from two interrelated issues:

1. The `family` parameter in set_ipsecrequest() is declared as u8 but receives
   a 16-bit value, causing truncation of the upper byte.

2. pfkey_sockaddr_len() returns 0 for unsupported address families, but the
   calling code doesn't properly validate this return value before using it in
   size calculations, leading to potential integer overflows.

The patchset is structured as follows:

Patch 1/3: Corrects the type of the family argument from u8 to u16 to prevent
           truncation of 16-bit address family values.

Patch 2/3: Adds proper validation for the return value of pfkey_sockaddr_len()
           to catch unsupported address families early.

Patch 3/3: Enhances the error handling to ensure zero-length allocations are
           properly rejected and adds appropriate error returns.

This series fixes the original issue introduced in:
Fixes: 14ad6ed30a10 ("net: allow small head cache usage with large MAX_SKB_FRAGS values")

This coordinated approach addresses all aspects of the problem discussed in
the recent thread[1, 2] and provides a comprehensive fix for the IPsec subsystem.

[1] https://lore.kernel.org/all/aP_X8sFJKWVycTn0@horms.kernel.org/
[2] https://lore.kernel.org/all/20251027205955.GA4074718@horms.kernel.org/

Thanks to all contributors who identified different facets of this issue.

Best regards.

Edward Adam Davis (1):
  key: No support for family zero

SHAURYA RANE (1):
  net: key: Validate address family in set_ipsecrequest()

clingfei (1):
  fix integer overflow in set_ipsecrequest

 net/key/af_key.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

-- 
2.34.1

Re: [PATCHSET IPSec 0/3] net: key: Fix address family validation and integer overflow in set_ipsecrequest

Posted by Sabrina Dubroca 1 month, 1 week ago

2025-11-06, 21:56:55 +0800, clingfei wrote:
> From: Cheng Lingfei <clf700383@gmail.com>
> 
> Hi,
> 
> This patchset addresses a security issue in the PF_KEYv2 implementation where
> improper address family validation could lead to integer overflows and buffer
> calculation errors in the set_ipsecrequest() function.
> 
> The core problem stems from two interrelated issues:
> 
> 1. The `family` parameter in set_ipsecrequest() is declared as u8 but receives
>    a 16-bit value, causing truncation of the upper byte.
> 
> 2. pfkey_sockaddr_len() returns 0 for unsupported address families, but the
>    calling code doesn't properly validate this return value before using it in
>    size calculations, leading to potential integer overflows.
> 
> The patchset is structured as follows:
> 
> Patch 1/3: Corrects the type of the family argument from u8 to u16 to prevent
>            truncation of 16-bit address family values.
> 
> Patch 2/3: Adds proper validation for the return value of pfkey_sockaddr_len()
>            to catch unsupported address families early.
> 
> Patch 3/3: Enhances the error handling to ensure zero-length allocations are
>            properly rejected and adds appropriate error returns.
> 
> This series fixes the original issue introduced in:
> Fixes: 14ad6ed30a10 ("net: allow small head cache usage with large MAX_SKB_FRAGS values")

This doesn't seem right. It looks more like a mismatch between the
size computation done before allocating the skb and the space actually
needed, and commit 14ad6ed30a10 made the pre-existing bug more visible.

-- 
Sabrina