NetBSD Problem Report #52150
From www@NetBSD.org Mon Apr 10 01:52:10 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id BE24B7A1FC
for <gnats-bugs@gnats.NetBSD.org>; Mon, 10 Apr 2017 01:52:10 +0000 (UTC)
Message-Id: <20170410015209.AB0077A263@mollari.NetBSD.org>
Date: Mon, 10 Apr 2017 01:52:09 +0000 (UTC)
From: ozaki-r@netbsd.org
Reply-To: ozaki-r@netbsd.org
To: gnats-bugs@NetBSD.org
Subject: ipsec: kernel panic on adding a key with an invalid length
X-Send-Pr-Version: www-1.0
>Number: 52150
>Category: kern
>Synopsis: ipsec: kernel panic on adding a key with an invalid length
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Apr 10 01:55:00 +0000 2017
>Closed-Date: Fri Mar 31 09:23:20 +0000 2023
>Last-Modified: Fri Mar 31 09:23:20 +0000 2023
>Originator: Ryota Ozaki
>Release: -current, -7 (and probably -6)
>Organization:
IIJ
>Environment:
NetBSD kvm 7.99.67 NetBSD 7.99.67 (KVM) #870: Thu Apr 6 18:04:41 JST 2017 ozaki-r@rangeley:(hidden) amd64
>Description:
Encryption types aes-gmac and aes-gcm-16 accept keys with lengths
160, 224 or 288 according to setkey(8). Adding a key with an
invalid length expects to fail with EINVAL or something, however,
instead the kernel gets panic.
This is an example output of a kernel panic:
kvm# setkey -c <<EOF
> add 10.0.0.1 10.0.0.2 esp 10000 -E aes-gmac "hogehogehogehogehogehoge";
> EOF
uvm_fault(0xfffffe8035304d10, 0x0, 1) -> e
fatal page fault in supervisor mode
trap type 6 code 0 rip 0xffffffff804c32e1 cs 0x8 rflags 0x10286 cr2 0 ilevel 0x4 rsp 0xfffffe8003764760
curlwp 0xfffffe803a564960 pid 73.1 lowest kstack 0xfffffe80037612c0
kernel: page fault trap, code=0
Stopped in pid 73.1 (setkey) at netbsd:esp_init+0x291: movl 0(%r8),%eax
db{0}> bt
esp_init() at netbsd:esp_init+0x291
key_setsaval() at netbsd:key_setsaval+0x3b0
key_newsav.constprop.26() at netbsd:key_newsav.constprop.26+0xf8
key_add() at netbsd:key_add+0x2cc
key_parse() at netbsd:key_parse+0x725
key_output() at netbsd:key_output+0x162
key_send_wrapper() at netbsd:key_send_wrapper+0x6c
sosend() at netbsd:sosend+0x76f
do_sys_sendmsg_so() at netbsd:do_sys_sendmsg_so+0x272
do_sys_sendmsg() at netbsd:do_sys_sendmsg+0x85
sys_sendto() at netbsd:sys_sendto+0x5c
syscall() at netbsd:syscall+0x1ed
--- syscall (number 133) ---
7f7ff70fdbca:
>How-To-Repeat:
Boot a kernel with IPSEC enabled and run the following command:
setkey -c <<EOF
add 10.0.0.1 10.0.0.2 esp 10000 -E aes-gmac "hogehogehogehogehogehoge";
EOF
>Fix:
In esp_init, for aes-gmac and aes-gcm-16, sav->tdb_authalgxform is set
when the key length is valid but not set when invalid lengths. So later
accessing sav->tdb_authalgxform->type can cause a NULL pointer dereference.
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 4a577539dde..0a9dba81359 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -241,6 +241,10 @@ esp_init(struct secasvar *sav, const struct xformsw *xsp)
sav->alg_auth = SADB_X_AALG_AES256GMAC;
sav->tdb_authalgxform = &auth_hash_gmac_aes_256;
break;
+ default:
+ DPRINTF(("%s: invalid key length %u, must be either of "
+ "20, 28 or 36\n", __func__, keylen));
+ return EINVAL;
}
memset(&cria, 0, sizeof(cria));
cria.cri_alg = sav->tdb_authalgxform->type;
>Release-Note:
>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52150 CVS commit: src/sys/netipsec
Date: Mon, 10 Apr 2017 10:19:23 -0400
Module Name: src
Committed By: christos
Date: Mon Apr 10 14:19:23 UTC 2017
Modified Files:
src/sys/netipsec: xform_esp.c
Log Message:
PR/52150: Ryota Ozaki: ipsec: kernel panic on adding a key with an invalid
length.
To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.48 src/sys/netipsec/xform_esp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->needs-pullups
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Mon, 05 Mar 2018 16:16:34 +0000
State-Changed-Why:
From: "Jukka Ruohonen" <jruoho@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52150 CVS commit: src
Date: Thu, 25 Jun 2020 17:08:33 +0000
Module Name: src
Committed By: jruoho
Date: Thu Jun 25 17:08:33 UTC 2020
Modified Files:
src/distrib/sets/lists/tests: mi
src/etc/mtree: NetBSD.dist.tests
src/tests/sbin: Makefile
Added Files:
src/tests/sbin/setkey: Makefile t_setkey.sh
Log Message:
Verify that PR kern/52150 is no longer present.
To generate a diff of this commit:
cvs rdiff -u -r1.852 -r1.853 src/distrib/sets/lists/tests/mi
cvs rdiff -u -r1.167 -r1.168 src/etc/mtree/NetBSD.dist.tests
cvs rdiff -u -r1.8 -r1.9 src/tests/sbin/Makefile
cvs rdiff -u -r0 -r1.1 src/tests/sbin/setkey/Makefile \
src/tests/sbin/setkey/t_setkey.sh
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: needs-pullups->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Fri, 31 Mar 2023 09:23:20 +0000
State-Changed-Why:
netbsd-6 and netbsd-7 are EOL, no need for pullups
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2023
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.