On Wed, Apr 12, 2017 at 8:02 AM, Andrey Konovalov <andreyk...@google.com> wrote: > Hi, > > I've got the following error report while fuzzing the kernel with syzkaller. > > On commit 39da7c509acff13fc8cb12ec1bb20337c988ed36 (4.11-rc6). > > A reproducer and .config are attached. > > When subtracting rq->sadb_x_ipsecrequest_len from len it can become > negative and the while loop condition remains true.
Good catch! Seems the fix is pretty straight forward: diff --git a/net/key/af_key.c b/net/key/af_key.c index c6252ed..cbce595 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -1945,7 +1945,7 @@ parse_ipsecrequests(struct xfrm_policy *xp, struct sadb_x_policy *pol) if (pol->sadb_x_policy_len * 8 < sizeof(struct sadb_x_policy)) return -EINVAL; - while (len >= sizeof(struct sadb_x_ipsecrequest)) { + while (len >= (int)sizeof(struct sadb_x_ipsecrequest)) { if ((err = parse_ipsecrequest(xp, rq)) < 0) return err; len -= rq->sadb_x_ipsecrequest_len; But pol->sadb_x_policy_len and rq->sadb_x_ipsecrequest_len are controllable by user (fortunately root), I am feeling there might be other problem I miss too.