On Thu, Nov 09, 2017 at 10:38:57PM +1100, Herbert Xu wrote:
>
> The xfrm code path is meant to forbid the creation of such a policy.
> I don't currently see how this is bypassing that check. But
> clearly it has found a way through the check since it's crashing.
By castrating the reproducer to not perform a pfkey dump I have
captured the corrupted policy via xfrm:
src ???/0 dst ???/0 uid 0
socket in action allow index 2083 priority 0 ptype main share any flag
(0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-10 09:58:17 use 2017-11-10 09:58:20
tmpl src ac14:bb:: dst ::
proto 0 spi 0x00000000(0) reqid 0(0x00000000) mode transport
level 5 share any
enc-mask 00000000 auth-mask 00000000 comp-mask 00000000
For comparison here is a good policy that was also created by the
reproducer:
src fe80::bb/0 dst ::/0 uid 0
socket in action allow index 2083 priority 0 ptype main share any flag
(0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-10 09:58:17 use 2017-11-10 09:58:17
tmpl src ac14:bb:: dst ::
proto 0 spi 0x00000000(0) reqid 0(0x00000000) mode transport
level 5 share any
enc-mask 00000000 auth-mask 00000000 comp-mask 00000000
Cheers,
--
Email: Herbert Xu <herb...@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
