[PATCH 4.16 08/18] sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
	Vlad Yasevich <vyasevich@gmail.com>,
	Neil Horman <nhorman@tuxdriver.com>,
	syzbot <syzkaller@googlegroups.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.16 08/18] sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6
Date: Wed, 11 Apr 2018 00:23:43 +0200	[thread overview]
Message-ID: <20180410212759.028204694@linuxfoundation.org> (raw)
In-Reply-To: <20180410212758.564682823@linuxfoundation.org>

4.16-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>


[ Upstream commit 81e98370293afcb58340ce8bd71af7b97f925c26 ]

Check must happen before call to ipv6_addr_v4mapped()

syzbot report was :

BUG: KMSAN: uninit-value in sctp_sockaddr_af net/sctp/socket.c:359 [inline]
BUG: KMSAN: uninit-value in sctp_do_bind+0x60f/0xdc0 net/sctp/socket.c:384
CPU: 0 PID: 3576 Comm: syzkaller968804 Not tainted 4.16.0+ #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
 sctp_sockaddr_af net/sctp/socket.c:359 [inline]
 sctp_do_bind+0x60f/0xdc0 net/sctp/socket.c:384
 sctp_bind+0x149/0x190 net/sctp/socket.c:332
 inet6_bind+0x1fd/0x1820 net/ipv6/af_inet6.c:293
 SYSC_bind+0x3f2/0x4b0 net/socket.c:1474
 SyS_bind+0x54/0x80 net/socket.c:1460
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x43fd49
RSP: 002b:00007ffe99df3d28 EFLAGS: 00000213 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd49
RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401670
R13: 0000000000401700 R14: 0000000000000000 R15: 0000000000000000

Local variable description: ----address@SYSC_bind
Variable was created at:
 SYSC_bind+0x6f/0x4b0 net/socket.c:1461
 SyS_bind+0x54/0x80 net/socket.c:1460

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Vlad Yasevich <vyasevich@gmail.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sctp/socket.c |   13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -354,11 +354,14 @@ static struct sctp_af *sctp_sockaddr_af(
 	if (!opt->pf->af_supported(addr->sa.sa_family, opt))
 		return NULL;
 
-	/* V4 mapped address are really of AF_INET family */
-	if (addr->sa.sa_family == AF_INET6 &&
-	    ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
-	    !opt->pf->af_supported(AF_INET, opt))
-		return NULL;
+	if (addr->sa.sa_family == AF_INET6) {
+		if (len < SIN6_LEN_RFC2133)
+			return NULL;
+		/* V4 mapped address are really of AF_INET family */
+		if (ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
+		    !opt->pf->af_supported(AF_INET, opt))
+			return NULL;
+	}
 
 	/* If we get this far, af is valid. */
 	af = sctp_get_af_specific(addr->sa.sa_family);

next prev parent reply	other threads:[~2018-04-10 22:23 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-10 22:23 [PATCH 4.16 00/18] 4.16.2-stable review Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 01/18] sparc64: Oracle DAX driver depends on SPARC64 Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 02/18] arp: fix arp_filter on l3slave devices Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 03/18] net: dsa: Discard frames from unused ports Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 04/18] net/ipv6: Increment OUTxxx counters after netfilter hook Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 05/18] net/sched: fix NULL dereference in the error path of tcf_bpf_init() Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 06/18] pptp: remove a buggy dst release in pptp_connect() Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 07/18] sctp: do not leak kernel memory to user space Greg Kroah-Hartman
2018-04-10 22:23 ` Greg Kroah-Hartman [this message]
2018-04-10 22:23 ` [PATCH 4.16 09/18] sky2: Increase D3 delay to sky2 stops working after suspend Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 10/18] vlan: also check phy_driver ts_info for vlans real device Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 11/18] net: fool proof dev_valid_name() Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 12/18] ip_tunnel: better validate user provided tunnel names Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 13/18] ipv6: sit: " Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 14/18] ip6_gre: " Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 15/18] ip6_tunnel: " Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 16/18] vti6: " Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 17/18] net_sched: fix a missing idr_remove() in u32_delete_key() Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 18/18] nfp: use full 40 bits of the NSP buffer address Greg Kroah-Hartman
2018-04-11  6:02 ` [PATCH 4.16 00/18] 4.16.2-stable review kernelci.org bot
2018-04-11 17:15 ` Shuah Khan
2018-04-12 12:31   ` Greg Kroah-Hartman
2018-04-11 17:27 ` Guenter Roeck
2018-04-12 12:31   ` Greg Kroah-Hartman
2018-04-11 19:26 ` Dan Rue
2018-04-12 12:32   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180410212759.028204694@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nhorman@tuxdriver.com \
    --cc=stable@vger.kernel.org \
    --cc=syzkaller@googlegroups.com \
    --cc=vyasevich@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.