Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-18 18:11:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
0aee4c2598
linux/net/sctp
History
Neil Horman 0aee4c2598 sctp: Fix double free in sctp_sendmsg_to_asoc 
syzbot/kasan detected a double free in sctp_sendmsg_to_asoc:
BUG: KASAN: use-after-free in sctp_association_free+0x7b7/0x930
net/sctp/associola.c:332
Read of size 8 at addr ffff8801d8006ae0 by task syzkaller914861/4202

CPU: 1 PID: 4202 Comm: syzkaller914861 Not tainted 4.16.0-rc4+ #258
Hardware name: Google Google Compute Engine/Google Compute Engine
01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23c/0x360 mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 sctp_association_free+0x7b7/0x930 net/sctp/associola.c:332
 sctp_sendmsg+0xc67/0x1a80 net/sctp/socket.c:2075
 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:639
 SYSC_sendto+0x361/0x5c0 net/socket.c:1748
 SyS_sendto+0x40/0x50 net/socket.c:1716
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

This was introduced by commit:
f84af33 sctp: factor out sctp_sendmsg_to_asoc from sctp_sendmsg

As the newly refactored function moved the wait_for_sndbuf call to a
point after the association was connected, allowing for peeloff events
to occur, which in turn caused wait_for_sndbuf to return -EPIPE which
was not caught by the logic that determines if an association should be
freed or not.

Fix it the easy way by returning the ordering of
sctp_primitive_ASSOCIATE and sctp_wait_for_sndbuf to the old order, to
ensure that EPIPE will not happen.

Tested by myself using the syzbot reproducers with positive results

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: davem@davemloft.net
CC: Xin Long <lucien.xin@gmail.com>
Reported-by: syzbot+a4e4112c3aff00c8cfd8@syzkaller.appspotmail.com
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-15 14:32:04 -04:00
..
associola.c sctp: implement enqueue_event for sctp_stream_interleave 2017-12-11 11:23:05 -05:00
auth.c sctp: add SCTP_AUTH_FREE_KEY type for AUTHENTICATION_EVENT 2018-03-14 13:48:27 -04:00
bind_addr.c sctp: remove the typedef sctp_scope_t 2017-08-06 21:33:41 -07:00
chunk.c sctp: add support for SCTP AUTH Information for sendmsg 2018-03-14 13:48:27 -04:00
debug.c sctp: add SCTP_CID_I_DATA and SCTP_CID_I_FWD_TSN conversion in sctp_cname 2018-02-12 11:40:01 -05:00
diag.c sctp: add file comments in diag.c 2018-02-13 13:56:31 -05:00
endpointola.c net: tracepoint: using sock_set_state tracepoint to trace SCTP state transition 2017-12-20 14:00:25 -05:00
input.c sctp: do not pr_err for the duplicated node in transport rhlist 2018-02-12 11:39:32 -05:00
inqueue.c sctp: remove the typedef sctp_chunkhdr_t 2017-07-01 09:08:41 -07:00
ipv6.c net: make getname() functions return length rather than use int* parameter 2018-02-12 14:15:04 -05:00
Kconfig net: sctp: Remove debug SCTP probe module 2018-01-02 14:27:29 -05:00
Makefile sctp: rename sctp_diag.c as diag.c 2018-02-13 13:56:31 -05:00
objcnt.c sctp: remove the typedef sctp_dbg_objcnt_entry_t 2017-08-11 10:02:43 -07:00
offload.c gso: validate gso_type in GSO handlers 2018-01-22 16:01:30 -05:00
output.c sctp: add refcnt support for sh_key 2018-03-14 13:48:27 -04:00
outqueue.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-01-17 00:10:42 -05:00
primitive.c sctp: remove the typedef sctp_subtype_t 2017-08-06 21:33:42 -07:00
proc.c net: delete /proc THIS_MODULE references 2018-01-16 15:01:33 -05:00
protocol.c net: Convert sctp_ctrlsock_ops 2018-03-13 11:24:56 -04:00
sm_make_chunk.c sctp: add SCTP_AUTH_FREE_KEY type for AUTHENTICATION_EVENT 2018-03-14 13:48:27 -04:00
sm_sideeffect.c sctp: add SCTP_AUTH_NO_AUTH type for AUTHENTICATION_EVENT 2018-03-14 13:48:27 -04:00
sm_statefuns.c sctp: add SCTP_AUTH_NO_AUTH type for AUTHENTICATION_EVENT 2018-03-14 13:48:27 -04:00
sm_statetable.c sctp: implement validate_ftsn for sctp_stream_interleave 2017-12-15 13:52:22 -05:00
socket.c sctp: Fix double free in sctp_sendmsg_to_asoc 2018-03-15 14:32:04 -04:00
stream_interleave.c sctp: remove the left unnecessary check for chunk in sctp_renege_events 2018-02-16 16:32:37 -05:00
stream_sched_prio.c sctp: remove extern from stream sched 2017-11-28 11:00:13 -05:00
stream_sched_rr.c sctp: remove extern from stream sched 2017-11-28 11:00:13 -05:00
stream_sched.c sctp: add stream interleave support in stream scheduler 2017-12-15 13:52:22 -05:00
stream.c sctp: fix some copy-paste errors for file comments 2018-02-14 14:18:32 -05:00
sysctl.c sctp: support sysctl to allow users to use stream interleave 2017-12-15 13:52:22 -05:00
transport.c sctp: fix the handling of ICMP Frag Needed for too small MTUs 2018-01-08 14:19:13 -05:00
tsnmap.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
ulpevent.c sctp: implement abort_pd for sctp_stream_interleave 2017-12-11 11:23:05 -05:00
ulpqueue.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-12-22 11:16:31 -05:00