From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
Jake Edge <jake@lwn.net>, Eugene Teo <eteo@redhat.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk,
Vlad Yasevich <vladislav.yasevich@hp.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [patch 26/42] sctp: fix potential panics in the SCTP-AUTH API.
Date: Wed, 3 Sep 2008 10:26:17 -0700 [thread overview]
Message-ID: <20080903172617.GA7731@suse.de> (raw)
In-Reply-To: <20080903172447.GA7731@suse.de>
[-- Attachment #1: 0007-sctp-fix-potential-panics-in-the-SCTP-AUTH-API.patch --]
[-- Type: text/plain, Size: 6948 bytes --]
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Vlad Yasevich <vladislav.yasevich@hp.com>
[ Upstream commit 5e739d1752aca4e8f3e794d431503bfca3162df4 ]
All of the SCTP-AUTH socket options could cause a panic
if the extension is disabled and the API is envoked.
Additionally, there were some additional assumptions that
certain pointers would always be valid which may not
always be the case.
This patch hardens the API and address all of the crash
scenarios.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/sctp/endpointola.c | 4 +-
net/sctp/socket.c | 85 +++++++++++++++++++++++++++++++++++++------------
2 files changed, 67 insertions(+), 22 deletions(-)
--- a/net/sctp/endpointola.c
+++ b/net/sctp/endpointola.c
@@ -103,6 +103,7 @@ static struct sctp_endpoint *sctp_endpoi
/* Initialize the CHUNKS parameter */
auth_chunks->param_hdr.type = SCTP_PARAM_CHUNKS;
+ auth_chunks->param_hdr.length = htons(sizeof(sctp_paramhdr_t));
/* If the Add-IP functionality is enabled, we must
* authenticate, ASCONF and ASCONF-ACK chunks
@@ -110,8 +111,7 @@ static struct sctp_endpoint *sctp_endpoi
if (sctp_addip_enable) {
auth_chunks->chunks[0] = SCTP_CID_ASCONF;
auth_chunks->chunks[1] = SCTP_CID_ASCONF_ACK;
- auth_chunks->param_hdr.length =
- htons(sizeof(sctp_paramhdr_t) + 2);
+ auth_chunks->param_hdr.length += htons(2);
}
}
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -2965,6 +2965,9 @@ static int sctp_setsockopt_auth_chunk(st
{
struct sctp_authchunk val;
+ if (!sctp_auth_enable)
+ return -EACCES;
+
if (optlen != sizeof(struct sctp_authchunk))
return -EINVAL;
if (copy_from_user(&val, optval, optlen))
@@ -2995,6 +2998,9 @@ static int sctp_setsockopt_hmac_ident(st
struct sctp_hmacalgo *hmacs;
int err;
+ if (!sctp_auth_enable)
+ return -EACCES;
+
if (optlen < sizeof(struct sctp_hmacalgo))
return -EINVAL;
@@ -3033,6 +3039,9 @@ static int sctp_setsockopt_auth_key(stru
struct sctp_association *asoc;
int ret;
+ if (!sctp_auth_enable)
+ return -EACCES;
+
if (optlen <= sizeof(struct sctp_authkey))
return -EINVAL;
@@ -3070,6 +3079,9 @@ static int sctp_setsockopt_active_key(st
struct sctp_authkeyid val;
struct sctp_association *asoc;
+ if (!sctp_auth_enable)
+ return -EACCES;
+
if (optlen != sizeof(struct sctp_authkeyid))
return -EINVAL;
if (copy_from_user(&val, optval, optlen))
@@ -3095,6 +3107,9 @@ static int sctp_setsockopt_del_key(struc
struct sctp_authkeyid val;
struct sctp_association *asoc;
+ if (!sctp_auth_enable)
+ return -EACCES;
+
if (optlen != sizeof(struct sctp_authkeyid))
return -EINVAL;
if (copy_from_user(&val, optval, optlen))
@@ -5053,19 +5068,29 @@ static int sctp_getsockopt_maxburst(stru
static int sctp_getsockopt_hmac_ident(struct sock *sk, int len,
char __user *optval, int __user *optlen)
{
+ struct sctp_hmacalgo __user *p = (void __user *)optval;
struct sctp_hmac_algo_param *hmacs;
- __u16 param_len;
+ __u16 data_len = 0;
+ u32 num_idents;
+
+ if (!sctp_auth_enable)
+ return -EACCES;
hmacs = sctp_sk(sk)->ep->auth_hmacs_list;
- param_len = ntohs(hmacs->param_hdr.length);
+ data_len = ntohs(hmacs->param_hdr.length) - sizeof(sctp_paramhdr_t);
- if (len < param_len)
+ if (len < sizeof(struct sctp_hmacalgo) + data_len)
return -EINVAL;
+
+ len = sizeof(struct sctp_hmacalgo) + data_len;
+ num_idents = data_len / sizeof(u16);
+
if (put_user(len, optlen))
return -EFAULT;
- if (copy_to_user(optval, hmacs->hmac_ids, len))
+ if (put_user(num_idents, &p->shmac_num_idents))
+ return -EFAULT;
+ if (copy_to_user(p->shmac_idents, hmacs->hmac_ids, data_len))
return -EFAULT;
-
return 0;
}
@@ -5075,6 +5100,9 @@ static int sctp_getsockopt_active_key(st
struct sctp_authkeyid val;
struct sctp_association *asoc;
+ if (!sctp_auth_enable)
+ return -EACCES;
+
if (len < sizeof(struct sctp_authkeyid))
return -EINVAL;
if (copy_from_user(&val, optval, sizeof(struct sctp_authkeyid)))
@@ -5089,6 +5117,12 @@ static int sctp_getsockopt_active_key(st
else
val.scact_keynumber = sctp_sk(sk)->ep->active_key_id;
+ len = sizeof(struct sctp_authkeyid);
+ if (put_user(len, optlen))
+ return -EFAULT;
+ if (copy_to_user(optval, &val, len))
+ return -EFAULT;
+
return 0;
}
@@ -5099,13 +5133,16 @@ static int sctp_getsockopt_peer_auth_chu
struct sctp_authchunks val;
struct sctp_association *asoc;
struct sctp_chunks_param *ch;
- u32 num_chunks;
+ u32 num_chunks = 0;
char __user *to;
- if (len <= sizeof(struct sctp_authchunks))
+ if (!sctp_auth_enable)
+ return -EACCES;
+
+ if (len < sizeof(struct sctp_authchunks))
return -EINVAL;
- if (copy_from_user(&val, p, sizeof(struct sctp_authchunks)))
+ if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks)))
return -EFAULT;
to = p->gauth_chunks;
@@ -5114,20 +5151,21 @@ static int sctp_getsockopt_peer_auth_chu
return -EINVAL;
ch = asoc->peer.peer_chunks;
+ if (!ch)
+ goto num;
/* See if the user provided enough room for all the data */
num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t);
if (len < num_chunks)
return -EINVAL;
- len = num_chunks;
- if (put_user(len, optlen))
+ if (copy_to_user(to, ch->chunks, num_chunks))
return -EFAULT;
+num:
+ len = sizeof(struct sctp_authchunks) + num_chunks;
+ if (put_user(len, optlen)) return -EFAULT;
if (put_user(num_chunks, &p->gauth_number_of_chunks))
return -EFAULT;
- if (copy_to_user(to, ch->chunks, len))
- return -EFAULT;
-
return 0;
}
@@ -5138,13 +5176,16 @@ static int sctp_getsockopt_local_auth_ch
struct sctp_authchunks val;
struct sctp_association *asoc;
struct sctp_chunks_param *ch;
- u32 num_chunks;
+ u32 num_chunks = 0;
char __user *to;
- if (len <= sizeof(struct sctp_authchunks))
+ if (!sctp_auth_enable)
+ return -EACCES;
+
+ if (len < sizeof(struct sctp_authchunks))
return -EINVAL;
- if (copy_from_user(&val, p, sizeof(struct sctp_authchunks)))
+ if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks)))
return -EFAULT;
to = p->gauth_chunks;
@@ -5157,17 +5198,21 @@ static int sctp_getsockopt_local_auth_ch
else
ch = sctp_sk(sk)->ep->auth_chunk_list;
+ if (!ch)
+ goto num;
+
num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t);
- if (len < num_chunks)
+ if (len < sizeof(struct sctp_authchunks) + num_chunks)
return -EINVAL;
- len = num_chunks;
+ if (copy_to_user(to, ch->chunks, num_chunks))
+ return -EFAULT;
+num:
+ len = sizeof(struct sctp_authchunks) + num_chunks;
if (put_user(len, optlen))
return -EFAULT;
if (put_user(num_chunks, &p->gauth_number_of_chunks))
return -EFAULT;
- if (copy_to_user(to, ch->chunks, len))
- return -EFAULT;
return 0;
}
--
next prev parent reply other threads:[~2008-09-03 17:41 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080903171927.534216229@mini.kroah.org>
2008-09-03 17:24 ` [patch 00/42] 2.6.26-stable review Greg KH
2008-09-03 17:25 ` [patch 01/42] cramfs: fix named-pipe handling Greg KH
2008-09-03 17:25 ` [patch 02/42] PCI: fix reference leak in pci_get_dev_by_id() Greg KH
2008-09-03 17:25 ` [patch 03/42] eeepc-laptop: fix use after free Greg KH
2008-09-03 17:25 ` [patch 04/42] fbdefio: add set_page_dirty handler to deferred IO FB Greg KH
2008-09-03 17:25 ` [patch 05/42] binfmt_misc: fix false -ENOEXEC when coupled with other binary handlers Greg KH
2008-09-03 17:25 ` [patch 06/42] USB: cdc-acm: dont unlock acm->mutex on error path Greg KH
2008-09-03 17:25 ` [patch 07/42] x86: work around MTRR mask setting Greg KH
2008-09-03 17:25 ` [patch 08/42] x86: fix "kernel wont boot on a Cyrix MediaGXm (Geode)" Greg KH
2008-09-03 17:25 ` [patch 09/42] S390 dasd: fix data size for PSF/PRSSD command Greg KH
2008-09-03 17:25 ` [patch 10/42] ALSA: oxygen: prevent muting of nonexistent AC97 controls Greg KH
2008-09-03 17:25 ` [patch 11/42] bio: fix __bio_copy_iov() handling of bio->bv_len Greg KH
2008-09-03 17:25 ` [patch 12/42] bio: fix bio_copy_kern() " Greg KH
2008-09-03 17:25 ` [patch 13/42] forcedeth: fix checksum flag Greg KH
2008-09-03 17:25 ` [patch 14/42] atl1: disable TSO by default Greg KH
2008-09-03 17:25 ` [patch 15/42] cifs: fix O_APPEND on directio mounts Greg KH
2008-09-03 17:25 ` [patch 16/42] drivers/char/random.c: fix a race which can lead to a bogus BUG() Greg KH
2008-09-03 17:25 ` [patch 17/42] rtc_time_to_tm: fix signed/unsigned arithmetic Greg KH
2008-09-03 17:25 ` [patch 18/42] 8250: improve workaround for UARTs that dont re-assert THRE correctly Greg KH
2008-09-03 17:25 ` [patch 19/42] mm: make setup_zone_migrate_reserve() aware of overlapping nodes Greg KH
2008-09-03 17:25 ` [patch 20/42] AX.25: Fix sysctl registration if !CONFIG_AX25_DAMA_SLAVE Greg KH
2008-09-03 17:26 ` [patch 21/42] ipv6: Fix OOPS, ip -f inet6 route get fec0::1, linux-2.6.26, ip6_route_output, rt6_fill_node+0x175 Greg KH
2008-09-03 17:26 ` [patch 22/42] netns: Add network namespace argument to rt6_fill_node() and ipv6_dev_get_saddr() Greg KH
2008-09-03 17:26 ` [patch 23/42] pkt_sched: Fix return value corruption in HTB and TBF Greg KH
2008-09-03 17:26 ` [patch 24/42] pkt_sched: Fix actions referencing Greg KH
2008-09-03 17:26 ` [patch 25/42] udp: Drop socket lock for encapsulated packets Greg KH
2008-09-03 17:26 ` Greg KH [this message]
2008-09-03 17:26 ` [patch 27/42] sctp: add verification checks to SCTP_AUTH_KEY option Greg KH
2008-09-03 17:26 ` [patch 28/42] sch_prio: Fix nla_parse_nested_compat() regression Greg KH
2008-09-03 17:26 ` [patch 29/42] net: Unbreak userspace which includes linux/mroute.h Greg KH
2008-09-03 19:16 ` Stefan Lippers-Hollmann
2008-09-03 21:16 ` David Miller
2008-09-03 17:26 ` [patch 30/42] sctp: correct bounds check in sctp_setsockopt_auth_key Greg KH
2008-09-03 17:26 ` [patch 31/42] sctp: fix random memory dereference with SCTP_HMAC_IDENT option Greg KH
2008-09-03 17:26 ` [patch 32/42] ipsec: Fix deadlock in xfrm_state management Greg KH
2008-09-03 17:26 ` [patch 33/42] sparc64: Fix overshoot in nid_range() Greg KH
2008-09-03 17:26 ` [patch 34/42] sparc64: Fix cmdline_memory_size handling bugs Greg KH
2008-09-03 17:26 ` [patch 35/42] crypto: authenc - Avoid using clobbered request pointer Greg KH
2008-09-03 17:26 ` [patch 36/42] tg3: Fix firmware event timeouts Greg KH
2008-09-03 17:26 ` [patch 37/42] r8169: balance pci_map / pci_unmap pair Greg KH
2008-09-03 17:26 ` [patch 38/42] sunrpc: fix possible overrun on read of /proc/sys/sunrpc/transports Greg KH
2008-09-03 17:26 ` Greg KH
2008-09-03 17:26 ` [patch 39/42] nfsd: fix buffer overrun decoding NFSv4 acl Greg KH
2008-09-03 17:26 ` Greg KH
2008-09-03 17:26 ` [patch 40/42] x86: work around MTRR mask setting, v2 Greg KH
2008-09-03 17:26 ` [patch 41/42] KVM: MMU: Fix torn shadow pte Greg KH
2008-09-03 17:26 ` [patch 42/42] sata_mv: dont issue two DMA commands concurrently Greg KH
2008-09-04 2:39 ` [patch 00/42] 2.6.26-stable review Henrique de Moraes Holschuh
2008-09-04 12:21 ` Andi Kleen
2008-09-04 12:28 ` Milan Broz
2008-09-04 13:58 ` Andi Kleen
2008-09-12 14:22 ` Pavel Machek
2008-09-12 15:37 ` Andi Kleen
2008-09-12 19:46 ` Henrique de Moraes Holschuh
2008-09-13 16:56 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080903172617.GA7731@suse.de \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=eteo@redhat.com \
--cc=jake@lwn.net \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rbranco@la.checkpoint.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=vladislav.yasevich@hp.com \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.