In pfkey_dump() dplen and splen can both be specified to access the xfrm_address_t structure out of bounds in__xfrm_state_filter_match() when it calls addr_match() with the indexes. Return EINVAL if either are out of range. References: https://source.android.com/security/bulletin/pixel/2021-06-01 https://android.googlesource.com/kernel/common/+/b59a23d596807a5aa88d8dd5655a66c6843729b3
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1974825]
This was fixed for Fedora with the 5.8.x stable rebases.