From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Xin Long <lucien.xin@gmail.com>,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.18 12/20] sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect
Date: Thu, 16 Nov 2017 18:28:19 +0100 [thread overview]
Message-ID: <20171116172722.250533568@linuxfoundation.org> (raw)
In-Reply-To: <20171116172721.759231192@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 1cc276cec9ec574d41cf47dfc0f51406b6f26ab4 ]
Now sctp processes icmp redirect packet in sctp_icmp_redirect where
it calls sctp_transport_dst_check in which tp->dst can be released.
The problem is before calling sctp_transport_dst_check, it doesn't
check sock_owned_by_user, which means tp->dst could be freed while
a process is accessing it with owning the socket.
An use-after-free issue could be triggered by this.
This patch is to fix it by checking sock_owned_by_user before calling
sctp_transport_dst_check in sctp_icmp_redirect, so that it would not
release tp->dst if users still hold sock lock.
Besides, the same issue fixed in commit 45caeaa5ac0b ("dccp/tcp: fix
routing redirect race") on sctp also needs this check.
Fixes: 55be7a9c6074 ("ipv4: Add redirect support to all protocol icmp error handlers")
Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/input.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -420,7 +420,7 @@ void sctp_icmp_redirect(struct sock *sk,
{
struct dst_entry *dst;
- if (!t)
+ if (sock_owned_by_user(sk) || !t)
return;
dst = sctp_transport_dst_check(t);
if (dst)
next prev parent reply other threads:[~2017-11-16 17:33 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-16 17:28 [PATCH 3.18 00/20] 3.18.82-stable review Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 01/20] [PATCH] Revert "ceph: unlock dangling spinlock in try_flush_caps()" Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 02/20] mac80211: accept key reinstall without changing anything Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 03/20] mac80211: use constant time comparison with keys Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 04/20] mac80211: dont compare TKIP TX MIC key in reinstall prevention Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 05/20] usb: usbtest: fix NULL pointer dereference Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 06/20] Input: ims-psu - check if CDC union descriptor is sane Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 08/20] tun/tap: sanitize TUNSETSNDBUF input Greg Kroah-Hartman
2017-11-16 21:25 ` Craig Gallek
2017-11-17 7:59 ` Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 09/20] tcp: fix tcp_mtu_probe() vs highest_sack Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 10/20] l2tp: check ps->sock before running pppol2tp_session_ioctl() Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 11/20] tun: call dev_get_valid_name() before register_netdevice() Greg Kroah-Hartman
2017-11-16 17:28 ` Greg Kroah-Hartman [this message]
2017-11-16 17:28 ` [PATCH 3.18 13/20] net/unix: dont show information about sockets from other namespaces Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 14/20] tun: allow positive return values on dev_get_valid_name() call Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 15/20] sctp: reset owner sk for data chunks on out queues when migrating a sock Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 16/20] ipv6: flowlabel: do not leave opt->tot_len with garbage Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 17/20] ipip: only increase err_count for some certain type icmp in ipip_err Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 18/20] ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 19/20] security/keys: add CONFIG_KEYS_COMPAT to Kconfig Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 20/20] target/iscsi: Fix iSCSI task reassignment handling Greg Kroah-Hartman
2017-11-16 22:43 ` [PATCH 3.18 00/20] 3.18.82-stable review Shuah Khan
2017-11-17 2:00 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171116172722.250533568@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=marcelo.leitner@gmail.com \
--cc=nhorman@tuxdriver.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.