From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
To: Xin Long <lucien.xin@gmail.com>
Cc: Eric Biggers <ebiggers@kernel.org>,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
linux-sctp@vger.kernel.org,
syzbot <syzbot+6dcbfea81cd3d4dd0b02@syzkaller.appspotmail.com>,
davem <davem@davemloft.net>,
Alexander Potapenko <glider@google.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
linux-crypto@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: KMSAN: uninit-value in __crc32c_le_base
Date: Wed, 27 Nov 2019 10:22:46 -0300 [thread overview]
Message-ID: <20191127132246.GN388551@localhost.localdomain> (raw)
In-Reply-To: <CADvbK_fOZ+kLiOOOXN-qUzDC2376-UxHmg1L6xiAFRR6=+re3w@mail.gmail.com>
On Wed, Nov 27, 2019 at 04:49:46PM +0800, Xin Long wrote:
> On Wed, Nov 27, 2019 at 2:02 PM Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > Looks like a bug in net/sctp/ where it's passing uninitialized memory into the
> > crc32c() function. SCTP maintainers, can you please take a look?
> Thanks.
>
> The issue was caused by:
> transport->ipaddr set with uninit addr param, which was passed by:
>
> sctp_transport_init net/sctp/transport.c:47 [inline]
> sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100
> sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611
> sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline]
>
> where 'addr' is set by sctp_v4_from_addr_param(), which doesn't initialize the
> padding of addr->v4.
>
> later when calling sctp_make_heartbeat(), hbinfo.daddr(=transport->ipaddr)
> will become the part of skb, and the issue occurs.
Sweet.
>
> The fix should be:
>
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index 09050c1d5517..0e73405eba4f 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -2516,6 +2516,7 @@ static int sctp_process_param(struct
> sctp_association *asoc,
> if (ipv6_only_sock(asoc->base.sk))
> break;
> do_addr_param:
> + memset(&addr, 0, sizeof(addr));
> af = sctp_get_af_specific(param_type2af(param.p->type));
> af->from_addr_param(&addr, param.addr, htons(asoc->peer.port), 0);
> scope = sctp_scope(peer_addr);
> @@ -3040,6 +3041,7 @@ static __be16 sctp_process_asconf_param(struct
> sctp_association *asoc,
> if (unlikely(!af))
> return SCTP_ERROR_DNS_FAILED;
>
> + memset(&addr, 0, sizeof(addr));
> af->from_addr_param(&addr, addr_param, htons(asoc->peer.port), 0);
In sctp_v4_from_addr_param() itself seems cleaner.
(Ditto for sctp_v4_to_addr_param() and related ones, like
sctp_v4_dst_saddr())
These functions shouldn't trust that the caller initializes the
memory. They are dealing with ipv4 but they know that the buffer
they are writting into is larger and the size of it.
Marcelo
prev parent reply other threads:[~2019-11-27 13:22 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-23 18:05 KMSAN: uninit-value in __crc32c_le_base syzbot
2019-11-27 6:01 ` Eric Biggers
2019-11-27 8:49 ` Xin Long
2019-11-27 13:22 ` Marcelo Ricardo Leitner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191127132246.GN388551@localhost.localdomain \
--to=marcelo.leitner@gmail.com \
--cc=davem@davemloft.net \
--cc=ebiggers@kernel.org \
--cc=glider@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=nhorman@tuxdriver.com \
--cc=syzbot+6dcbfea81cd3d4dd0b02@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=vyasevich@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).