LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
	Zwane Mwaikambo <zwane@arm.linux.org.uk>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Randy Dunlap <rdunlap@xenotime.net>,
	Dave Jones <davej@redhat.com>,
	Chuck Wolber <chuckw@quantumlinux.com>,
	Chris Wedgwood <reviews@ml.cw.f00f.org>,
	Michael Krufky <mkrufky@linuxtv.org>,
	Chuck Ebbert <cebbert@redhat.com>,
	Domenico Andreoli <cavokz@gmail.com>,
	torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk, bunk@kernel.org,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>
Subject: [patch 11/27] IPSEC: Avoid undefined shift operation when testing algorithm ID
Date: Fri, 1 Feb 2008 16:20:24 -0800	[thread overview]
Message-ID: <20080202002024.GL8368@suse.de> (raw)
In-Reply-To: <20080202001927.GA8368@suse.de>

[-- Attachment #1: ipsec-avoid-undefined-shift-operation-when-testing-algorithm-id.patch --]
[-- Type: text/plain, Size: 1802 bytes --]

2.6.22-stable review patch.  If anyone has any objections, please let us
know.

------------------
From: Herbert Xu <herbert@gondor.apana.org.au>

[IPSEC]: Avoid undefined shift operation when testing algorithm ID

[ Upstream commit: f398035f2dec0a6150833b0bc105057953594edb ]

The aalgos/ealgos fields are only 32 bits wide.  However, af_key tries
to test them with the expression 1 << id where id can be as large as
253.  This produces different behaviour on different architectures.

The following patch explicitly checks whether ID is greater than 31
and fails the check if that's the case.

We cannot easily extend the mask to be longer than 32 bits due to
exposure to user-space.  Besides, this whole interface is obsolete
anyway in favour of the xfrm_user interface which doesn't use this
bit mask in templates (well not within the kernel anyway).

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 net/key/af_key.c |   14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2777,12 +2777,22 @@ static struct sadb_msg *pfkey_get_base_m
 
 static inline int aalg_tmpl_set(struct xfrm_tmpl *t, struct xfrm_algo_desc *d)
 {
-	return t->aalgos & (1 << d->desc.sadb_alg_id);
+	unsigned int id = d->desc.sadb_alg_id;
+
+	if (id >= sizeof(t->aalgos) * 8)
+		return 0;
+
+	return (t->aalgos >> id) & 1;
 }
 
 static inline int ealg_tmpl_set(struct xfrm_tmpl *t, struct xfrm_algo_desc *d)
 {
-	return t->ealgos & (1 << d->desc.sadb_alg_id);
+	unsigned int id = d->desc.sadb_alg_id;
+
+	if (id >= sizeof(t->ealgos) * 8)
+		return 0;
+
+	return (t->ealgos >> id) & 1;
 }
 
 static int count_ah_combs(struct xfrm_tmpl *t)

-- 

  parent reply	other threads:[~2008-02-02  0:28 UTC|newest]

Thread overview: 40+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20080202001232.472591439@mini.kroah.org>
2008-02-02  0:19 ` [patch 00/27] 2.6.22-stable review Greg KH
2008-02-02  0:19   ` [patch 01/27] X25: Add missing x25_neigh_put Greg KH
2008-02-02  0:19   ` [patch 02/27] SPARC64: Fix two kernel linear mapping setup bugs Greg KH
2008-02-02  0:20   ` [patch 03/27] SPARC64: Fix memory controller register access when non-SMP Greg KH
2008-02-02  0:20   ` [patch 04/27] NET: mcs7830 passes msecs instead of jiffies to usb_control_msg Greg KH
2008-02-02  0:20   ` [patch 05/27] NET: kaweth was forgotten in msec switchover of usb_start_wait_urb Greg KH
2008-02-02  0:20   ` [patch 06/27] NET: Correct two mistaken skb_reset_mac_header() conversions Greg KH
2008-02-02  0:20   ` [patch 07/27] IRDA: irda_create() nuke user triggable printk Greg KH
2008-02-02  0:20   ` [patch 08/27] IPV4 ROUTE: ip_rt_dump() is unecessary slow Greg KH
2008-02-02  0:20   ` [patch 09/27] IPV4: ip_gre: set mac_header correctly in receive path Greg KH
2008-02-02  0:20   ` [patch 10/27] IPSEC: Fix potential dst leak in xfrm_lookup Greg KH
2008-02-02  0:20   ` Greg KH [this message]
2008-02-02  0:20   ` [patch 12/27] INET: Fix netdev renaming and inet address labels Greg KH
2008-02-02  0:20   ` [patch 13/27] : Fix sparc64 cpu cross call hangs Greg KH
2008-02-02  0:20   ` [patch 14/27] CONNECTOR: Dont touch queue dev after decrement of ref count Greg KH
2008-02-02  0:20   ` [patch 15/27] ATM: delay irq setup until card is configured Greg KH
2008-02-02  0:20   ` [patch 16/27] ATM: Check IP header validity in mpc_send_packet Greg KH
2008-02-02  0:20   ` [patch 17/27] CASSINI: Fix endianness bug Greg KH
2008-02-02  0:20   ` [patch 18/27] CASSINI: Revert dont touch page_count Greg KH
2008-02-02  0:20   ` [patch 19/27] CASSINI: Set skb->truesize properly on receive packets Greg KH
2008-02-02  0:20   ` [patch 20/27] ACPICA: fix acpi-cpufreq boot crash due to _PSD return-by-reference Greg KH
2008-02-02  0:20   ` [patch 21/27] vfs: coredumping fix (CVE-2007-6206) Greg KH
2008-02-02  0:21   ` [patch 22/27] quicklist: Set tlb->need_flush if pages are remaining in quicklist 0 Greg KH
2008-02-02  0:39     ` Christoph Lameter
2008-02-02  0:50       ` Greg KH
2008-02-02  1:28       ` Justin M. Forbes
2008-02-02  1:30         ` Christoph Lameter
2008-02-02  2:20           ` Justin M. Forbes
2008-02-06 22:45           ` Greg KH
2008-02-06 23:11             ` Oliver Pinter
2008-02-06 23:28               ` Christoph Lameter
2008-02-09 15:14               ` Fwd: " Oliver Pinter
2008-02-02  0:21   ` [patch 23/27] cxgb: fix T2 GSO Greg KH
2008-02-02  0:21   ` [patch 24/27] cxgb: fix stats Greg KH
2008-02-02  0:21   ` [patch 25/27] chelsio: Fix skb->dev setting Greg KH
2008-02-02  0:21   ` [patch 26/27] POWERPC: Fix invalid semicolon after if statement Greg KH
2008-02-02  0:21   ` [patch 27/27] ACPI: apply quirk_ich6_lpc_acpi to more ICH8 and ICH9 Greg KH
2008-02-02 18:55   ` [patch 00/27] 2.6.22-stable review Arkadiusz Miskiewicz
2008-02-04 17:30   ` Oliver Pinter (Pintér Olivér)
2008-02-04 17:59     ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080202002024.GL8368@suse.de \
    --to=gregkh@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=bunk@kernel.org \
    --cc=cavokz@gmail.com \
    --cc=cebbert@redhat.com \
    --cc=chuckw@quantumlinux.com \
    --cc=davej@redhat.com \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=jmforbes@linuxtx.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mkrufky@linuxtv.org \
    --cc=rdunlap@xenotime.net \
    --cc=reviews@ml.cw.f00f.org \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=zwane@arm.linux.org.uk \
    --subject='Re: [patch 11/27] IPSEC: Avoid undefined shift operation when testing algorithm ID' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).