Bug 1974823 (CVE-2021-0605) - CVE-2021-0605 kernel: In pfkey_dump() dplen and splen can both be specified to access the xfrm_address_t structure out of bounds
Summary: CVE-2021-0605 kernel: In pfkey_dump() dplen and splen can both be specified t...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-0605
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1982265 1982266 1982267 1891595 1974825 1981458 1981459
Blocks: 1974826
TreeView+ depends on / blocked
 
Reported: 2021-06-22 15:44 UTC by Pedro Sampaio
Modified: 2023-05-12 21:19 UTC (History)
44 users (show)

Fixed In Version: Linux kernel v 5.8
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the Linux kernel's pfkey_dump function trusted the provided filter size parameters. A local, sufficiently privileged user could use this flaw to leak information from the kernel.
Clone Of:
Environment:
Last Closed: 2021-12-15 11:24:17 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2021-06-22 15:44:23 UTC 
In pfkey_dump() dplen and splen can both be specified to access the
xfrm_address_t structure out of bounds in__xfrm_state_filter_match()
when it calls addr_match() with the indexes.  Return EINVAL if either
are out of range.

References:

https://source.android.com/security/bulletin/pixel/2021-06-01
https://android.googlesource.com/kernel/common/+/b59a23d596807a5aa88d8dd5655a66c6843729b3
Comment 1 Pedro Sampaio 2021-06-22 15:49:20 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1974825]
Comment 2 Justin M. Forbes 2021-06-29 15:58:19 UTC 
This was fixed for Fedora with the 5.8.x stable rebases.
Note You need to log in before you can comment on or make changes to this bug.