From: Herbert Xu herbert@gondor.apana.org.au
mainline inclusion from mainline-v6.0-rc3 commit ba953a9d89a00c078b85f4b190bc1dde66fe16b5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5OPA4 CVE: CVE-2022-3028
--------------------------------
When namespace support was added to xfrm/afkey, it caused the previously single-threaded call to xfrm_probe_algs to become multi-threaded. This is buggy and needs to be fixed with a mutex.
Reported-by: Abhishek Shah abhishek.shah@columbia.edu Fixes: 283bc9f35bbb ("xfrm: Namespacify xfrm state/policy locks") Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Steffen Klassert steffen.klassert@secunet.com Signed-off-by: Xu Jia xujia39@huawei.com Reviewed-by: Wei Yongjun weiyongjun1@huawei.com Reviewed-by: Wang Weiyang wangweiyang2@huawei.com Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- net/key/af_key.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/net/key/af_key.c b/net/key/af_key.c index 0107cc10c4a2..23470b0d84aa 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -1707,9 +1707,12 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sad pfk->registered |= (1<<hdr->sadb_msg_satype); }
+ mutex_lock(&pfkey_mutex); xfrm_probe_algs();
supp_skb = compose_sadb_supported(hdr, GFP_KERNEL | __GFP_ZERO); + mutex_unlock(&pfkey_mutex); + if (!supp_skb) { if (hdr->sadb_msg_satype != SADB_SATYPE_UNSPEC) pfk->registered &= ~(1<<hdr->sadb_msg_satype);