From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
To: Neil Horman <nhorman@tuxdriver.com>
Cc: linux-sctp@vger.kernel.org, netdev@vger.kernel.org,
syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com,
Xin Long <lucien.xin@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH v5 net] sctp: Free cookie before we memdup a new one
Date: Thu, 13 Jun 2019 16:51:34 +0000 [thread overview]
Message-ID: <20190613165133.GD3500@localhost.localdomain> (raw)
In-Reply-To: <20190613103559.2603-1-nhorman@tuxdriver.com>
On Thu, Jun 13, 2019 at 06:35:59AM -0400, Neil Horman wrote:
> Based on comments from Xin, even after fixes for our recent syzbot
> report of cookie memory leaks, its possible to get a resend of an INIT
> chunk which would lead to us leaking cookie memory.
>
> To ensure that we don't leak cookie memory, free any previously
> allocated cookie first.
>
> Change notes
> v1->v2
> update subsystem tag in subject (davem)
> repeat kfree check for peer_random and peer_hmacs (xin)
>
> v2->v3
> net->sctp
> also free peer_chunks
>
> v3->v4
> fix subject tags
>
> v4->v5
> remove cut line
>
> Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
> Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
> CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> CC: Xin Long <lucien.xin@gmail.com>
> CC: "David S. Miller" <davem@davemloft.net>
> CC: netdev@vger.kernel.org
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> ---
> net/sctp/sm_make_chunk.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index f17908f5c4f3..9b0e5b0d701a 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -2583,6 +2583,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> case SCTP_PARAM_STATE_COOKIE:
> asoc->peer.cookie_len > ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
> + if (asoc->peer.cookie)
> + kfree(asoc->peer.cookie);
> asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
> if (!asoc->peer.cookie)
> retval = 0;
> @@ -2647,6 +2649,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> goto fall_through;
>
> /* Save peer's random parameter */
> + if (asoc->peer.peer_random)
> + kfree(asoc->peer.peer_random);
> asoc->peer.peer_random = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_random) {
> @@ -2660,6 +2664,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> goto fall_through;
>
> /* Save peer's HMAC list */
> + if (asoc->peer.peer_hmacs)
> + kfree(asoc->peer.peer_hmacs);
> asoc->peer.peer_hmacs = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_hmacs) {
> @@ -2675,6 +2681,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> if (!ep->auth_enable)
> goto fall_through;
>
> + if (asoc->peer.peer_chunks)
> + kfree(asoc->peer.peer_chunks);
> asoc->peer.peer_chunks = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_chunks)
> --
> 2.20.1
>
WARNING: multiple messages have this Message-ID (diff)
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
To: Neil Horman <nhorman@tuxdriver.com>
Cc: linux-sctp@vger.kernel.org, netdev@vger.kernel.org,
syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com,
Xin Long <lucien.xin@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH v5 net] sctp: Free cookie before we memdup a new one
Date: Thu, 13 Jun 2019 13:51:34 -0300 [thread overview]
Message-ID: <20190613165133.GD3500@localhost.localdomain> (raw)
In-Reply-To: <20190613103559.2603-1-nhorman@tuxdriver.com>
On Thu, Jun 13, 2019 at 06:35:59AM -0400, Neil Horman wrote:
> Based on comments from Xin, even after fixes for our recent syzbot
> report of cookie memory leaks, its possible to get a resend of an INIT
> chunk which would lead to us leaking cookie memory.
>
> To ensure that we don't leak cookie memory, free any previously
> allocated cookie first.
>
> Change notes
> v1->v2
> update subsystem tag in subject (davem)
> repeat kfree check for peer_random and peer_hmacs (xin)
>
> v2->v3
> net->sctp
> also free peer_chunks
>
> v3->v4
> fix subject tags
>
> v4->v5
> remove cut line
>
> Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
> Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
> CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> CC: Xin Long <lucien.xin@gmail.com>
> CC: "David S. Miller" <davem@davemloft.net>
> CC: netdev@vger.kernel.org
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> ---
> net/sctp/sm_make_chunk.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index f17908f5c4f3..9b0e5b0d701a 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -2583,6 +2583,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> case SCTP_PARAM_STATE_COOKIE:
> asoc->peer.cookie_len =
> ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
> + if (asoc->peer.cookie)
> + kfree(asoc->peer.cookie);
> asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
> if (!asoc->peer.cookie)
> retval = 0;
> @@ -2647,6 +2649,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> goto fall_through;
>
> /* Save peer's random parameter */
> + if (asoc->peer.peer_random)
> + kfree(asoc->peer.peer_random);
> asoc->peer.peer_random = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_random) {
> @@ -2660,6 +2664,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> goto fall_through;
>
> /* Save peer's HMAC list */
> + if (asoc->peer.peer_hmacs)
> + kfree(asoc->peer.peer_hmacs);
> asoc->peer.peer_hmacs = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_hmacs) {
> @@ -2675,6 +2681,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> if (!ep->auth_enable)
> goto fall_through;
>
> + if (asoc->peer.peer_chunks)
> + kfree(asoc->peer.peer_chunks);
> asoc->peer.peer_chunks = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_chunks)
> --
> 2.20.1
>
next prev parent reply other threads:[~2019-06-13 16:51 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-10 16:34 [PATCH] Free cookie before we memdup a new one Neil Horman
2019-06-10 16:34 ` Neil Horman
2019-06-10 16:38 ` David Miller
2019-06-10 16:38 ` David Miller
2019-06-10 16:54 ` Xin Long
2019-06-10 16:54 ` Xin Long
2019-06-11 11:21 ` [PATCH v2] [net] " Neil Horman
2019-06-11 11:21 ` Neil Horman
2019-06-11 11:44 ` Marcelo Ricardo Leitner
2019-06-11 11:44 ` Marcelo Ricardo Leitner
2019-06-11 12:17 ` Marcelo Ricardo Leitner
2019-06-11 12:17 ` Marcelo Ricardo Leitner
2019-06-11 16:06 ` David Miller
2019-06-11 16:06 ` David Miller
2019-06-11 19:22 ` [PATCH v3] [sctp] " Neil Horman
2019-06-11 19:22 ` Neil Horman
2019-06-11 20:08 ` David Miller
2019-06-11 20:08 ` David Miller
2019-06-11 20:52 ` Neil Horman
2019-06-11 20:52 ` Neil Horman
2019-06-12 0:38 ` [PATCH v4 net] sctp: " Neil Horman
2019-06-12 0:38 ` Neil Horman
2019-06-12 17:58 ` Xin Long
2019-06-12 17:58 ` Xin Long
2019-06-12 18:07 ` Marcelo Ricardo Leitner
2019-06-12 18:07 ` Marcelo Ricardo Leitner
2019-06-12 20:32 ` Neil Horman
2019-06-12 20:32 ` Neil Horman
2019-06-12 20:41 ` David Miller
2019-06-12 20:41 ` David Miller
2019-06-13 10:35 ` [PATCH v5 " Neil Horman
2019-06-13 10:35 ` Neil Horman
2019-06-13 16:51 ` Marcelo Ricardo Leitner [this message]
2019-06-13 16:51 ` Marcelo Ricardo Leitner
2019-06-15 2:27 ` David Miller
2019-06-15 2:27 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190613165133.GD3500@localhost.localdomain \
--to=marcelo.leitner@gmail.com \
--cc=davem@davemloft.net \
--cc=linux-sctp@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.