From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7A9B11FB4 for ; Fri, 3 Feb 2023 10:19:51 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BDFE6C433D2; Fri, 3 Feb 2023 10:19:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1675419591; bh=q8ZVPrzYnvQYOtEZp+gw5Y/8Y/9B04SLAkMw9KEwhr0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rZrGt6PbZx80Q/V2jqJ1yXUGvqk2lpsNju28t2PTJxCZkEg9sCXLGMA1qYCrDaGYO DwdUzSyhLWMFxYJdWlhBfDZvpOdcRHQ67SAtjgq75ZxXDNmA8UdfIEIJ/6oQaauUK0 cY2joBOuD5QVwlytaBtntidZ05IMHYns0wYsPJWw= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Pietro Borrello , Marcelo Ricardo Leitner , Xin Long , Jakub Kicinski , Sasha Levin Subject: [PATCH 4.19 54/80] sctp: fail if no bound addresses can be used for a given scope Date: Fri, 3 Feb 2023 11:12:48 +0100 Message-Id: <20230203101017.515477741@linuxfoundation.org> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230203101015.263854890@linuxfoundation.org> References: <20230203101015.263854890@linuxfoundation.org> User-Agent: quilt/0.67 Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Marcelo Ricardo Leitner [ Upstream commit 458e279f861d3f61796894cd158b780765a1569f ] Currently, if you bind the socket to something like: servaddr.sin6_family = AF_INET6; servaddr.sin6_port = htons(0); servaddr.sin6_scope_id = 0; inet_pton(AF_INET6, "::1", &servaddr.sin6_addr); And then request a connect to: connaddr.sin6_family = AF_INET6; connaddr.sin6_port = htons(20000); connaddr.sin6_scope_id = if_nametoindex("lo"); inet_pton(AF_INET6, "fe88::1", &connaddr.sin6_addr); What the stack does is: - bind the socket - create a new asoc - to handle the connect - copy the addresses that can be used for the given scope - try to connect But the copy returns 0 addresses, and the effect is that it ends up trying to connect as if the socket wasn't bound, which is not the desired behavior. This unexpected behavior also allows KASLR leaks through SCTP diag interface. The fix here then is, if when trying to copy the addresses that can be used for the scope used in connect() it returns 0 addresses, bail out. This is what TCP does with a similar reproducer. Reported-by: Pietro Borrello Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Marcelo Ricardo Leitner Reviewed-by: Xin Long Link: https://lore.kernel.org/r/9fcd182f1099f86c6661f3717f63712ddd1c676c.1674496737.git.marcelo.leitner@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- net/sctp/bind_addr.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/sctp/bind_addr.c b/net/sctp/bind_addr.c index f8a283245672..d723942e5e65 100644 --- a/net/sctp/bind_addr.c +++ b/net/sctp/bind_addr.c @@ -88,6 +88,12 @@ int sctp_bind_addr_copy(struct net *net, struct sctp_bind_addr *dest, } } + /* If somehow no addresses were found that can be used with this + * scope, it's an error. + */ + if (list_empty(&dest->address_list)) + error = -ENETUNREACH; + out: if (error) sctp_bind_addr_clean(dest); -- 2.39.0