From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joshua Kinard Date: Fri, 18 Apr 2014 01:54:10 +0000 Subject: Re: [PATCH net] net: sctp: cache auth_enable per endpoint Message-Id: <535085C2.8040409@gentoo.org> List-Id: References: <1397748410-1983-1-git-send-email-dborkman@redhat.com> In-Reply-To: <1397748410-1983-1-git-send-email-dborkman@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Daniel Borkmann , davem@davemloft.net Cc: netdev@vger.kernel.org, linux-sctp@vger.kernel.org, Vlad Yasevich On 04/17/2014 11:26, Daniel Borkmann wrote: > From: Vlad Yasevich > > Currently, it is possible to create an SCTP socket, then switch > auth_enable via sysctl setting to 1 and crash the system on connect: > > Oops[#1]: > CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1 > task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000 > [...] > Call Trace: > [] sctp_auth_asoc_set_default_hmac+0x68/0x80 > [] sctp_process_init+0x5e0/0x8a4 > [] sctp_sf_do_5_1B_init+0x234/0x34c > [] sctp_do_sm+0xb4/0x1e8 > [] sctp_endpoint_bh_rcv+0x1c4/0x214 > [] sctp_rcv+0x588/0x630 > [] sctp6_rcv+0x10/0x24 > [] ip6_input+0x2c0/0x440 > [] __netif_receive_skb_core+0x4a8/0x564 > [] process_backlog+0xb4/0x18c > [] net_rx_action+0x12c/0x210 > [] __do_softirq+0x17c/0x2ac > [] irq_exit+0x54/0xb0 > [] ret_from_irq+0x0/0x4 > [] rm7k_wait_irqoff+0x24/0x48 > [] cpu_startup_entry+0xc0/0x148 > [] start_kernel+0x37c/0x398 > Code: dd0900b8 000330f8 0126302d 50c0fff1 0047182a a48306a0 > 03e00008 00000000 > ---[ end trace b530b0551467f2fd ]--- > Kernel panic - not syncing: Fatal exception in interrupt > > What happens while auth_enable=0 in that case is, that > ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs() > when endpoint is being created. > > After that point, if an admin switches over to auth_enable=1, > the machine can crash due to NULL pointer dereference during > reception of an INIT chunk. When we enter sctp_process_init() > via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk, > the INIT verification succeeds and while we walk and process > all INIT params via sctp_process_param() we find that > net->sctp.auth_enable is set, therefore do not fall through, > but invoke sctp_auth_asoc_set_default_hmac() instead, and thus, > dereference what we have set to NULL during endpoint > initialization phase. > > The fix is to make auth_enable immutable by caching its value > during endpoint initialization, so that its original value is > being carried along until destruction. The bug seems to originate > from the very first days. > > Fix in joint work with Daniel Borkmann. > > Reported-by: Joshua Kinard > Signed-off-by: Vlad Yasevich > Signed-off-by: Daniel Borkmann This solves the problem for me, thanks! Tested-by: Joshua Kinard From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joshua Kinard Subject: Re: [PATCH net] net: sctp: cache auth_enable per endpoint Date: Thu, 17 Apr 2014 21:54:10 -0400 Message-ID: <535085C2.8040409@gentoo.org> References: <1397748410-1983-1-git-send-email-dborkman@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, linux-sctp@vger.kernel.org, Vlad Yasevich To: Daniel Borkmann , davem@davemloft.net Return-path: Received: from qmta03.westchester.pa.mail.comcast.net ([76.96.62.32]:57852 "EHLO qmta03.westchester.pa.mail.comcast.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751041AbaDRCAc (ORCPT ); Thu, 17 Apr 2014 22:00:32 -0400 In-Reply-To: <1397748410-1983-1-git-send-email-dborkman@redhat.com> Sender: netdev-owner@vger.kernel.org List-ID: On 04/17/2014 11:26, Daniel Borkmann wrote: > From: Vlad Yasevich > > Currently, it is possible to create an SCTP socket, then switch > auth_enable via sysctl setting to 1 and crash the system on connect: > > Oops[#1]: > CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1 > task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000 > [...] > Call Trace: > [] sctp_auth_asoc_set_default_hmac+0x68/0x80 > [] sctp_process_init+0x5e0/0x8a4 > [] sctp_sf_do_5_1B_init+0x234/0x34c > [] sctp_do_sm+0xb4/0x1e8 > [] sctp_endpoint_bh_rcv+0x1c4/0x214 > [] sctp_rcv+0x588/0x630 > [] sctp6_rcv+0x10/0x24 > [] ip6_input+0x2c0/0x440 > [] __netif_receive_skb_core+0x4a8/0x564 > [] process_backlog+0xb4/0x18c > [] net_rx_action+0x12c/0x210 > [] __do_softirq+0x17c/0x2ac > [] irq_exit+0x54/0xb0 > [] ret_from_irq+0x0/0x4 > [] rm7k_wait_irqoff+0x24/0x48 > [] cpu_startup_entry+0xc0/0x148 > [] start_kernel+0x37c/0x398 > Code: dd0900b8 000330f8 0126302d 50c0fff1 0047182a a48306a0 > 03e00008 00000000 > ---[ end trace b530b0551467f2fd ]--- > Kernel panic - not syncing: Fatal exception in interrupt > > What happens while auth_enable=0 in that case is, that > ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs() > when endpoint is being created. > > After that point, if an admin switches over to auth_enable=1, > the machine can crash due to NULL pointer dereference during > reception of an INIT chunk. When we enter sctp_process_init() > via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk, > the INIT verification succeeds and while we walk and process > all INIT params via sctp_process_param() we find that > net->sctp.auth_enable is set, therefore do not fall through, > but invoke sctp_auth_asoc_set_default_hmac() instead, and thus, > dereference what we have set to NULL during endpoint > initialization phase. > > The fix is to make auth_enable immutable by caching its value > during endpoint initialization, so that its original value is > being carried along until destruction. The bug seems to originate > from the very first days. > > Fix in joint work with Daniel Borkmann. > > Reported-by: Joshua Kinard > Signed-off-by: Vlad Yasevich > Signed-off-by: Daniel Borkmann This solves the problem for me, thanks! Tested-by: Joshua Kinard