Merge branch 'wg-fixes'

Jason A. Donenfeld says: ==================== wireguard fixes for 5.6-rc1 Here are fixes for WireGuard before 5.6-rc1 is tagged. It includes: 1) A fix for a UaF (caused by kmalloc failing during a very small allocation) that syzkaller found, from Eric Dumazet. 2) A fix for a deadlock that syzkaller found, along with an additional selftest to ensure that the bug fix remains correct, from me. 3) Two little fixes/cleanups to the selftests from Krzysztof Kozlowski and me. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2020-02-05 14:14:19 +0100
committer: David S. Miller <davem@davemloft.net> 2020-02-05 14:14:19 +0100
commit: a25ee2347537207bc24a5c51a6e9493a745460b9 (patch)
tree: b96a7b35194c5b42783da38b4a94529718a59faf
parent: b5c094430092b4baf71d276b3ab7896bb4530951 (diff)
parent: 298f25ad3d9c59072bfb730469dedc6897fa3d85 (diff)
download: wireguard-linux-trimmed-a25ee2347537207bc24a5c51a6e9493a745460b9.tar.gz
wireguard-linux-trimmed-a25ee2347537207bc24a5c51a6e9493a745460b9.zip
3 files changed, 10 insertions, 7 deletions
diff --git a/drivers/net/wireguard/allowedips.c b/drivers/net/wireguard/allowedips.c
index 121d9ea..3725e9c 100644
--- a/drivers/net/wireguard/allowedips.c
+++ b/drivers/net/wireguard/allowedips.c
@@ -263,6 +263,7 @@ static int add(struct allowedips_node __rcu **trie, u8 bits, const u8 *key,
 	} else {
 		node = kzalloc(sizeof(*node), GFP_KERNEL);
 		if (unlikely(!node)) {
+			list_del(&newnode->peer_list);
 			kfree(newnode);
 			return -ENOMEM;
 		}
diff --git a/drivers/net/wireguard/netlink.c b/drivers/net/wireguard/netlink.c
index 0fdbd1c..bda2640 100644
--- a/drivers/net/wireguard/netlink.c
+++ b/drivers/net/wireguard/netlink.c
@@ -569,10 +569,8 @@ static int wg_set_device(struct sk_buff *skb, struct genl_info *info)
 							 private_key);
 		list_for_each_entry_safe(peer, temp, &wg->peer_list,
 					 peer_list) {
-			if (wg_noise_precompute_static_static(peer))
-				wg_noise_expire_current_peer_keypairs(peer);
-			else
-				wg_peer_remove(peer);
+			BUG_ON(!wg_noise_precompute_static_static(peer));
+			wg_noise_expire_current_peer_keypairs(peer);
 		}
 		wg_cookie_checker_precompute_device_keys(&wg->cookie_checker);
 		up_write(&wg->static_identity.lock);
diff --git a/drivers/net/wireguard/noise.c b/drivers/net/wireguard/noise.c
index d71c8db..919d9d8 100644
--- a/drivers/net/wireguard/noise.c
+++ b/drivers/net/wireguard/noise.c
@@ -46,17 +46,21 @@ void __init wg_noise_init(void)
 /* Must hold peer->handshake.static_identity->lock */
 bool wg_noise_precompute_static_static(struct wg_peer *peer)
 {
-	bool ret = true;
+	bool ret;
 
 	down_write(&peer->handshake.lock);
-	if (peer->handshake.static_identity->has_identity)
+	if (peer->handshake.static_identity->has_identity) {
 		ret = curve25519(
 			peer->handshake.precomputed_static_static,
 			peer->handshake.static_identity->static_private,
 			peer->handshake.remote_static);
-	else
+	} else {
+		u8 empty[NOISE_PUBLIC_KEY_LEN] = { 0 };
+
+		ret = curve25519(empty, empty, peer->handshake.remote_static);
 		memset(peer->handshake.precomputed_static_static, 0,
 		       NOISE_PUBLIC_KEY_LEN);
+	}
 	up_write(&peer->handshake.lock);
 	return ret;
 }
author	David S. Miller <davem@davemloft.net>	2020-02-05 14:14:19 +0100
committer	David S. Miller <davem@davemloft.net>	2020-02-05 14:14:19 +0100
commit	a25ee2347537207bc24a5c51a6e9493a745460b9 (patch)
tree	b96a7b35194c5b42783da38b4a94529718a59faf
parent	b5c094430092b4baf71d276b3ab7896bb4530951 (diff)
parent	298f25ad3d9c59072bfb730469dedc6897fa3d85 (diff)
download	wireguard-linux-trimmed-a25ee2347537207bc24a5c51a6e9493a745460b9.tar.gz wireguard-linux-trimmed-a25ee2347537207bc24a5c51a6e9493a745460b9.zip