From: Joshua Kinard <kumba@gentoo.org>
To: Daniel Borkmann <dborkman@redhat.com>, davem@davemloft.net
Cc: netdev@vger.kernel.org, linux-sctp@vger.kernel.org,
Vlad Yasevich <vyasevic@redhat.com>
Subject: Re: [PATCH net] net: sctp: cache auth_enable per endpoint
Date: Fri, 18 Apr 2014 01:54:10 +0000 [thread overview]
Message-ID: <535085C2.8040409@gentoo.org> (raw)
In-Reply-To: <1397748410-1983-1-git-send-email-dborkman@redhat.com>
On 04/17/2014 11:26, Daniel Borkmann wrote:
> From: Vlad Yasevich <vyasevic@redhat.com>
>
> Currently, it is possible to create an SCTP socket, then switch
> auth_enable via sysctl setting to 1 and crash the system on connect:
>
> Oops[#1]:
> CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1
> task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000
> [...]
> Call Trace:
> [<ffffffff8043c4e8>] sctp_auth_asoc_set_default_hmac+0x68/0x80
> [<ffffffff8042b300>] sctp_process_init+0x5e0/0x8a4
> [<ffffffff8042188c>] sctp_sf_do_5_1B_init+0x234/0x34c
> [<ffffffff804228c8>] sctp_do_sm+0xb4/0x1e8
> [<ffffffff80425a08>] sctp_endpoint_bh_rcv+0x1c4/0x214
> [<ffffffff8043af68>] sctp_rcv+0x588/0x630
> [<ffffffff8043e8e8>] sctp6_rcv+0x10/0x24
> [<ffffffff803acb50>] ip6_input+0x2c0/0x440
> [<ffffffff8030fc00>] __netif_receive_skb_core+0x4a8/0x564
> [<ffffffff80310650>] process_backlog+0xb4/0x18c
> [<ffffffff80313cbc>] net_rx_action+0x12c/0x210
> [<ffffffff80034254>] __do_softirq+0x17c/0x2ac
> [<ffffffff800345e0>] irq_exit+0x54/0xb0
> [<ffffffff800075a4>] ret_from_irq+0x0/0x4
> [<ffffffff800090ec>] rm7k_wait_irqoff+0x24/0x48
> [<ffffffff8005e388>] cpu_startup_entry+0xc0/0x148
> [<ffffffff805a88b0>] start_kernel+0x37c/0x398
> Code: dd0900b8 000330f8 0126302d <dcc60000> 50c0fff1 0047182a a48306a0
> 03e00008 00000000
> ---[ end trace b530b0551467f2fd ]---
> Kernel panic - not syncing: Fatal exception in interrupt
>
> What happens while auth_enable=0 in that case is, that
> ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs()
> when endpoint is being created.
>
> After that point, if an admin switches over to auth_enable=1,
> the machine can crash due to NULL pointer dereference during
> reception of an INIT chunk. When we enter sctp_process_init()
> via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk,
> the INIT verification succeeds and while we walk and process
> all INIT params via sctp_process_param() we find that
> net->sctp.auth_enable is set, therefore do not fall through,
> but invoke sctp_auth_asoc_set_default_hmac() instead, and thus,
> dereference what we have set to NULL during endpoint
> initialization phase.
>
> The fix is to make auth_enable immutable by caching its value
> during endpoint initialization, so that its original value is
> being carried along until destruction. The bug seems to originate
> from the very first days.
>
> Fix in joint work with Daniel Borkmann.
>
> Reported-by: Joshua Kinard <kumba@gentoo.org>
> Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
> Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
This solves the problem for me, thanks!
Tested-by: Joshua Kinard <kumba@gentoo.org>
WARNING: multiple messages have this Message-ID (diff)
From: Joshua Kinard <kumba@gentoo.org>
To: Daniel Borkmann <dborkman@redhat.com>, davem@davemloft.net
Cc: netdev@vger.kernel.org, linux-sctp@vger.kernel.org,
Vlad Yasevich <vyasevic@redhat.com>
Subject: Re: [PATCH net] net: sctp: cache auth_enable per endpoint
Date: Thu, 17 Apr 2014 21:54:10 -0400 [thread overview]
Message-ID: <535085C2.8040409@gentoo.org> (raw)
In-Reply-To: <1397748410-1983-1-git-send-email-dborkman@redhat.com>
On 04/17/2014 11:26, Daniel Borkmann wrote:
> From: Vlad Yasevich <vyasevic@redhat.com>
>
> Currently, it is possible to create an SCTP socket, then switch
> auth_enable via sysctl setting to 1 and crash the system on connect:
>
> Oops[#1]:
> CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1
> task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000
> [...]
> Call Trace:
> [<ffffffff8043c4e8>] sctp_auth_asoc_set_default_hmac+0x68/0x80
> [<ffffffff8042b300>] sctp_process_init+0x5e0/0x8a4
> [<ffffffff8042188c>] sctp_sf_do_5_1B_init+0x234/0x34c
> [<ffffffff804228c8>] sctp_do_sm+0xb4/0x1e8
> [<ffffffff80425a08>] sctp_endpoint_bh_rcv+0x1c4/0x214
> [<ffffffff8043af68>] sctp_rcv+0x588/0x630
> [<ffffffff8043e8e8>] sctp6_rcv+0x10/0x24
> [<ffffffff803acb50>] ip6_input+0x2c0/0x440
> [<ffffffff8030fc00>] __netif_receive_skb_core+0x4a8/0x564
> [<ffffffff80310650>] process_backlog+0xb4/0x18c
> [<ffffffff80313cbc>] net_rx_action+0x12c/0x210
> [<ffffffff80034254>] __do_softirq+0x17c/0x2ac
> [<ffffffff800345e0>] irq_exit+0x54/0xb0
> [<ffffffff800075a4>] ret_from_irq+0x0/0x4
> [<ffffffff800090ec>] rm7k_wait_irqoff+0x24/0x48
> [<ffffffff8005e388>] cpu_startup_entry+0xc0/0x148
> [<ffffffff805a88b0>] start_kernel+0x37c/0x398
> Code: dd0900b8 000330f8 0126302d <dcc60000> 50c0fff1 0047182a a48306a0
> 03e00008 00000000
> ---[ end trace b530b0551467f2fd ]---
> Kernel panic - not syncing: Fatal exception in interrupt
>
> What happens while auth_enable=0 in that case is, that
> ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs()
> when endpoint is being created.
>
> After that point, if an admin switches over to auth_enable=1,
> the machine can crash due to NULL pointer dereference during
> reception of an INIT chunk. When we enter sctp_process_init()
> via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk,
> the INIT verification succeeds and while we walk and process
> all INIT params via sctp_process_param() we find that
> net->sctp.auth_enable is set, therefore do not fall through,
> but invoke sctp_auth_asoc_set_default_hmac() instead, and thus,
> dereference what we have set to NULL during endpoint
> initialization phase.
>
> The fix is to make auth_enable immutable by caching its value
> during endpoint initialization, so that its original value is
> being carried along until destruction. The bug seems to originate
> from the very first days.
>
> Fix in joint work with Daniel Borkmann.
>
> Reported-by: Joshua Kinard <kumba@gentoo.org>
> Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
> Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
This solves the problem for me, thanks!
Tested-by: Joshua Kinard <kumba@gentoo.org>
next prev parent reply other threads:[~2014-04-18 1:54 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-17 15:26 [PATCH net] net: sctp: cache auth_enable per endpoint Daniel Borkmann
2014-04-17 15:26 ` Daniel Borkmann
2014-04-17 20:44 ` Neil Horman
2014-04-17 20:44 ` Neil Horman
2014-04-18 1:54 ` Joshua Kinard [this message]
2014-04-18 1:54 ` Joshua Kinard
2014-04-18 22:41 ` David Miller
2014-04-18 22:41 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=535085C2.8040409@gentoo.org \
--to=kumba@gentoo.org \
--cc=davem@davemloft.net \
--cc=dborkman@redhat.com \
--cc=linux-sctp@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=vyasevic@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.