af_key: relax availability checks for skb size calculation

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

xfrm_probe_algs() probes kernel crypto modules and changes the
availability of struct xfrm_algo_desc. But there is a small window
where ealg->available and aalg->available get changed between
count_ah_combs()/count_esp_combs() and dump_ah_combs()/dump_esp_combs(),
in this case we may allocate a smaller skb but later put a larger
amount of data and trigger the panic in skb_put().

Fix this by relaxing the checks when counting the size, that is,
skipping the test of ->available. We may waste some memory for a few
of sizeof(struct sadb_comb), but it is still much better than a panic.

Reported-by: syzbot+b2bf2652983d23734c5c@syzkaller.appspotmail.com
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

authored by

Cong Wang and committed by

Steffen Klassert 5 years ago afbc293a 9f8550e4

+3 -3

1 changed file

expand all

net

key

af_key.c

+3 -3

net/key/af_key.c

··· 2902 2902 break; 2903 2903 if (!aalg->pfkey_supported) 2904 2904 continue; 2905 - if (aalg_tmpl_set(t, aalg) && aalg->available) 2905 + if (aalg_tmpl_set(t, aalg)) 2906 2906 sz += sizeof(struct sadb_comb); 2907 2907 } 2908 2908 return sz + sizeof(struct sadb_prop); ··· 2920 2920 if (!ealg->pfkey_supported) 2921 2921 continue; 2922 2922 2923 - if (!(ealg_tmpl_set(t, ealg) && ealg->available)) 2923 + if (!(ealg_tmpl_set(t, ealg))) 2924 2924 continue; 2925 2925 2926 2926 for (k = 1; ; k++) { ··· 2931 2931 if (!aalg->pfkey_supported) 2932 2932 continue; 2933 2933 2934 - if (aalg_tmpl_set(t, aalg) && aalg->available) 2934 + if (aalg_tmpl_set(t, aalg)) 2935 2935 sz += sizeof(struct sadb_comb); 2936 2936 } 2937 2937 }