From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alexander Potapenko <glider@google.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 08/16] net/sctp: Always set scope_id in sctp_inet6_skb_msgname
Date: Wed, 22 Nov 2017 11:12:01 +0100 [thread overview]
Message-ID: <20171122101111.171385746@linuxfoundation.org> (raw)
In-Reply-To: <20171122101110.784746358@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
[ Upstream commit 7c8a61d9ee1df0fb4747879fa67a99614eb62fec ]
Alexandar Potapenko while testing the kernel with KMSAN and syzkaller
discovered that in some configurations sctp would leak 4 bytes of
kernel stack.
Working with his reproducer I discovered that those 4 bytes that
are leaked is the scope id of an ipv6 address returned by recvmsg.
With a little code inspection and a shrewd guess I discovered that
sctp_inet6_skb_msgname only initializes the scope_id field for link
local ipv6 addresses to the interface index the link local address
pertains to instead of initializing the scope_id field for all ipv6
addresses.
That is almost reasonable as scope_id's are meaniningful only for link
local addresses. Set the scope_id in all other cases to 0 which is
not a valid interface index to make it clear there is nothing useful
in the scope_id field.
There should be no danger of breaking userspace as the stack leak
guaranteed that previously meaningless random data was being returned.
Fixes: 372f525b495c ("SCTP: Resync with LKSCTP tree.")
History-tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Reported-by: Alexander Potapenko <glider@google.com>
Tested-by: Alexander Potapenko <glider@google.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/ipv6.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -806,6 +806,8 @@ static void sctp_inet6_skb_msgname(struc
if (ipv6_addr_type(&addr->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) {
struct sctp_ulpevent *ev = sctp_skb2event(skb);
addr->v6.sin6_scope_id = ev->iif;
+ } else {
+ addr->v6.sin6_scope_id = 0;
}
}
next prev parent reply other threads:[~2017-11-22 10:13 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-22 10:11 [PATCH 4.4 00/16] 4.4.101-stable review Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 4.4 01/16] tcp: do not mangle skb->cb[] in tcp_make_synack() Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 4.4 02/16] netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 4.4 03/16] bonding: discard lowest hash bit for 802.3ad layer3+4 Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 4.4 04/16] vlan: fix a use-after-free in vlan_device_event() Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 4.4 05/16] af_netlink: ensure that NLMSG_DONE never fails in dumps Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 4.4 06/16] sctp: do not peel off an assoc from one netns to another one Greg Kroah-Hartman
2017-11-22 10:12 ` [PATCH 4.4 07/16] fealnx: Fix building error on MIPS Greg Kroah-Hartman
2017-11-22 10:12 ` Greg Kroah-Hartman [this message]
2017-11-22 10:12 ` [PATCH 4.4 09/16] ima: do not update security.ima if appraisal status is not INTEGRITY_PASS Greg Kroah-Hartman
2017-11-22 10:12 ` [PATCH 4.4 10/16] serial: omap: Fix EFR write on RTS deassertion Greg Kroah-Hartman
2017-11-22 10:12 ` [PATCH 4.4 11/16] arm64: fix dump_instr when PAN and UAO are in use Greg Kroah-Hartman
2017-11-22 10:12 ` [PATCH 4.4 12/16] [PATCH-stable] nvme: Fix memory order on async queue deletion Greg Kroah-Hartman
2017-11-22 10:12 ` [PATCH 4.4 13/16] ocfs2: should wait dio before inode lock in ocfs2_setattr() Greg Kroah-Hartman
2017-12-05 15:49 ` Ben Hutchings
2017-12-06 1:02 ` alex chen
2017-12-06 16:36 ` Greg Kroah-Hartman
2017-12-07 18:25 ` Ben Hutchings
2017-12-08 0:39 ` alex chen
2017-12-08 2:26 ` Ben Hutchings
2017-12-08 4:03 ` alex chen
2017-12-08 5:36 ` Ben Hutchings
2017-12-08 6:16 ` alex chen
2017-12-08 10:04 ` Changwei Ge
2017-12-12 1:34 ` alex chen
2017-11-22 10:12 ` [PATCH 4.4 14/16] ipmi: fix unsigned long underflow Greg Kroah-Hartman
2017-11-22 10:12 ` [PATCH 4.4 15/16] mm/page_alloc.c: broken deferred calculation Greg Kroah-Hartman
2017-11-22 10:12 ` [PATCH 4.4 16/16] coda: fix kernel memory exposure attempt in fsync Greg Kroah-Hartman
2017-11-22 15:29 ` [PATCH 4.4 00/16] 4.4.101-stable review Nathan Chancellor
2017-11-22 17:05 ` Greg Kroah-Hartman
2017-11-22 17:38 ` Nathan Chancellor
2017-11-22 21:32 ` Guenter Roeck
2017-11-23 14:28 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171122101111.171385746@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=glider@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.