Merge branch 'xfrm/compat: syzbot-found fixes'

Dmitry Safonov says: ==================== v2: Added "Fixes" tags to the patches. WARN_ON() for XFRMA_UNSPEC translation which likely no-one except syzkaller uses; properly zerofy tail-padding for 64-bit attribute; don't use __GFP_ZERO as the memory is initialized during translation. ==================== Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2020-11-10 07:30:44 +01:00 · 2020-11-10 07:30:44 +01:00 · bc0230b646
parent 4e0396c595 ad37f77fd3
commit bc0230b646
1 changed files with 3 additions and 2 deletions
--- a/net/xfrm/xfrm_compat.c
+++ b/net/xfrm/xfrm_compat.c
@ -234,6 +234,7 @@ static int xfrm_xlate64_attr(struct sk_buff *dst, const struct nlattr *src)
 	case XFRMA_PAD:
 		/* Ignore */
 		return 0;
+	case XFRMA_UNSPEC:
 	case XFRMA_ALG_AUTH:
 	case XFRMA_ALG_CRYPT:
 	case XFRMA_ALG_COMP:
@ -387,7 +388,7 @@ static int xfrm_attr_cpy32(void *dst, size_t *pos, const struct nlattr *src,

 	memcpy(nla, src, nla_attr_size(copy_len));
 	nla->nla_len = nla_attr_size(payload);
-	*pos += nla_attr_size(payload);
+	*pos += nla_attr_size(copy_len);
 	nlmsg->nlmsg_len += nla->nla_len;

 	memset(dst + *pos, 0, payload - copy_len);
@ -563,7 +564,7 @@ static struct nlmsghdr *xfrm_user_rcv_msg_compat(const struct nlmsghdr *h32,
 		return NULL;

 	len += NLMSG_HDRLEN;
-	h64 = kvmalloc(len, GFP_KERNEL | __GFP_ZERO);
+	h64 = kvmalloc(len, GFP_KERNEL);
 	if (!h64)
 		return ERR_PTR(-ENOMEM);