NetBSD Problem Report #52150

From www@NetBSD.org  Mon Apr 10 01:52:10 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id BE24B7A1FC
	for <gnats-bugs@gnats.NetBSD.org>; Mon, 10 Apr 2017 01:52:10 +0000 (UTC)
Message-Id: <20170410015209.AB0077A263@mollari.NetBSD.org>
Date: Mon, 10 Apr 2017 01:52:09 +0000 (UTC)
From: ozaki-r@netbsd.org
Reply-To: ozaki-r@netbsd.org
To: gnats-bugs@NetBSD.org
Subject: ipsec: kernel panic on adding a key with an invalid length
X-Send-Pr-Version: www-1.0

>Number:         52150
>Category:       kern
>Synopsis:       ipsec: kernel panic on adding a key with an invalid length
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          needs-pullups
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Apr 10 01:55:00 +0000 2017
>Closed-Date:    
>Last-Modified:  Thu Jun 25 17:10:02 +0000 2020
>Originator:     Ryota Ozaki
>Release:        -current, -7 (and probably -6)
>Organization:
IIJ
>Environment:
NetBSD kvm 7.99.67 NetBSD 7.99.67 (KVM) #870: Thu Apr  6 18:04:41 JST 2017  ozaki-r@rangeley:(hidden) amd64
>Description:
Encryption types aes-gmac and aes-gcm-16 accept keys with lengths
160, 224 or 288 according to setkey(8). Adding a key with an
invalid length expects to fail with EINVAL or something, however,
instead the kernel gets panic.

This is an example output of a kernel panic:

kvm# setkey -c <<EOF
> add 10.0.0.1 10.0.0.2 esp 10000 -E aes-gmac "hogehogehogehogehogehoge";
> EOF
uvm_fault(0xfffffe8035304d10, 0x0, 1) -> e
fatal page fault in supervisor mode
trap type 6 code 0 rip 0xffffffff804c32e1 cs 0x8 rflags 0x10286 cr2 0 ilevel 0x4 rsp 0xfffffe8003764760
curlwp 0xfffffe803a564960 pid 73.1 lowest kstack 0xfffffe80037612c0
kernel: page fault trap, code=0
Stopped in pid 73.1 (setkey) at netbsd:esp_init+0x291:  movl    0(%r8),%eax
db{0}> bt
esp_init() at netbsd:esp_init+0x291
key_setsaval() at netbsd:key_setsaval+0x3b0
key_newsav.constprop.26() at netbsd:key_newsav.constprop.26+0xf8
key_add() at netbsd:key_add+0x2cc
key_parse() at netbsd:key_parse+0x725
key_output() at netbsd:key_output+0x162
key_send_wrapper() at netbsd:key_send_wrapper+0x6c
sosend() at netbsd:sosend+0x76f
do_sys_sendmsg_so() at netbsd:do_sys_sendmsg_so+0x272
do_sys_sendmsg() at netbsd:do_sys_sendmsg+0x85
sys_sendto() at netbsd:sys_sendto+0x5c
syscall() at netbsd:syscall+0x1ed
--- syscall (number 133) ---
7f7ff70fdbca:

>How-To-Repeat:
Boot a kernel with IPSEC enabled and run the following command:
  setkey -c <<EOF
  add 10.0.0.1 10.0.0.2 esp 10000 -E aes-gmac "hogehogehogehogehogehoge";
  EOF

>Fix:
In esp_init, for aes-gmac and aes-gcm-16, sav->tdb_authalgxform is set
when the key length is valid but not set when invalid lengths. So later
accessing sav->tdb_authalgxform->type can cause a NULL pointer dereference.

diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 4a577539dde..0a9dba81359 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -241,6 +241,10 @@ esp_init(struct secasvar *sav, const struct xformsw *xsp)
                        sav->alg_auth = SADB_X_AALG_AES256GMAC;
                        sav->tdb_authalgxform = &auth_hash_gmac_aes_256;
                        break;
+               default:
+                       DPRINTF(("%s: invalid key length %u, must be either of "
+                           "20, 28 or 36\n", __func__, keylen));
+                       return EINVAL;
                }
                memset(&cria, 0, sizeof(cria));
                cria.cri_alg = sav->tdb_authalgxform->type;

>Release-Note:

>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/52150 CVS commit: src/sys/netipsec
Date: Mon, 10 Apr 2017 10:19:23 -0400

 Module Name:	src
 Committed By:	christos
 Date:		Mon Apr 10 14:19:23 UTC 2017

 Modified Files:
 	src/sys/netipsec: xform_esp.c

 Log Message:
 PR/52150: Ryota Ozaki: ipsec: kernel panic on adding a key with an invalid
 length.


 To generate a diff of this commit:
 cvs rdiff -u -r1.47 -r1.48 src/sys/netipsec/xform_esp.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->needs-pullups
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Mon, 05 Mar 2018 16:16:34 +0000
State-Changed-Why:


From: "Jukka Ruohonen" <jruoho@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/52150 CVS commit: src
Date: Thu, 25 Jun 2020 17:08:33 +0000

 Module Name:	src
 Committed By:	jruoho
 Date:		Thu Jun 25 17:08:33 UTC 2020

 Modified Files:
 	src/distrib/sets/lists/tests: mi
 	src/etc/mtree: NetBSD.dist.tests
 	src/tests/sbin: Makefile
 Added Files:
 	src/tests/sbin/setkey: Makefile t_setkey.sh

 Log Message:
 Verify that PR kern/52150 is no longer present.


 To generate a diff of this commit:
 cvs rdiff -u -r1.852 -r1.853 src/distrib/sets/lists/tests/mi
 cvs rdiff -u -r1.167 -r1.168 src/etc/mtree/NetBSD.dist.tests
 cvs rdiff -u -r1.8 -r1.9 src/tests/sbin/Makefile
 cvs rdiff -u -r0 -r1.1 src/tests/sbin/setkey/Makefile \
     src/tests/sbin/setkey/t_setkey.sh

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.