[Lucid CVE-2013-1826] xfrm_user: return error pointer instead of NULL

Luis Henriques luis.henriques at canonical.com
Wed Apr 17 12:24:55 UTC 2013

From: Mathias Krause <minipli at googlemail.com>


BugLink: http://bugs.launchpad.net/bugs/1155026

When dump_one_state() returns an error, e.g. because of a too small
buffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL
instead of an error pointer. But its callers expect an error pointer
and therefore continue to operate on a NULL skbuff.

This could lead to a privilege escalation (execution of user code in
kernel context) if the attacker has CAP_NET_ADMIN and is able to map
address 0.

Signed-off-by: Mathias Krause <minipli at googlemail.com>
Acked-by: Steffen Klassert <steffen.klassert at secunet.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
(cherry picked from commit 864745d291b5ba80ea0bd0edcbe67273de368836)

Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
 net/xfrm/xfrm_user.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index a8d83c4..dff20ac 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -647,6 +647,7 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
 	struct xfrm_dump_info info;
 	struct sk_buff *skb;
+	int err;
 	skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
 	if (!skb)
@@ -657,9 +658,10 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
 	info.nlmsg_seq = seq;
 	info.nlmsg_flags = 0;
-	if (dump_one_state(x, 0, &info)) {
+	err = dump_one_state(x, 0, &info);
+	if (err) {
-		return NULL;
+		return ERR_PTR(err);
 	return skb;

More information about the kernel-team mailing list