Commit cd8ae32e authored Aug 29, 2025 by Sabrina Dubroca Committed by Steffen Klassert Sep 01, 2025

xfrm: xfrm_alloc_spi shouldn't use 0 as SPI



x->id.spi == 0 means "no SPI assigned", but since commit
94f39804 ("xfrm: Duplicate SPI Handling"), we now create states
and add them to the byspi list with this value.

__xfrm_state_delete doesn't remove those states from the byspi list,
since they shouldn't be there, and this shows up as a UAF the next
time we go through the byspi list.

Reported-by:  <syzbot+a25ee9d20d31e483ba7b@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=a25ee9d20d31e483ba7b


Fixes: 94f39804 ("xfrm: Duplicate SPI Handling")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

parent 52565a93

net/xfrm/xfrm_state.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -2583,6 +2583,8 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high,

		for (h = 0; h < range; h++) {
		u32 spi = (low == high) ? low : get_random_u32_inclusive(low, high);
		if (spi == 0)
		goto next;
		newspi = htonl(spi);

		spin_lock_bh(&net->xfrm.xfrm_state_lock);
		@@ -2598,6 +2600,7 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high,
		xfrm_state_put(x0);
		spin_unlock_bh(&net->xfrm.xfrm_state_lock);

		next:
		if (signal_pending(current)) {
		err = -ERESTARTSYS;
		goto unlock;