From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Xin Long <lucien.xin@gmail.com>,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
Jakub Kicinski <kuba@kernel.org>,
Ovidiu Panait <ovidiu.panait@windriver.com>
Subject: [PATCH 4.19 03/57] sctp: fix the processing for INIT_ACK chunk
Date: Mon, 21 Mar 2022 14:51:44 +0100 [thread overview]
Message-ID: <20220321133222.085585303@linuxfoundation.org> (raw)
In-Reply-To: <20220321133221.984120927@linuxfoundation.org>
From: Xin Long <lucien.xin@gmail.com>
commit 438b95a7c98f77d51cbf4db021f41b602d750a3f upstream.
Currently INIT_ACK chunk in non-cookie_echoed state is processed in
sctp_sf_discard_chunk() to send an abort with the existent asoc's
vtag if the chunk length is not valid. But the vtag in the chunk's
sctphdr is not verified, which may be exploited by one to cook a
malicious chunk to terminal a SCTP asoc.
sctp_sf_discard_chunk() also is called in many other places to send
an abort, and most of those have this problem. This patch is to fix
it by sending abort with the existent asoc's vtag only if the vtag
from the chunk's sctphdr is verified in sctp_sf_discard_chunk().
Note on sctp_sf_do_9_1_abort() and sctp_sf_shutdown_pending_abort(),
the chunk length has been verified before sctp_sf_discard_chunk(),
so replace it with sctp_sf_discard(). On sctp_sf_do_asconf_ack() and
sctp_sf_do_asconf(), move the sctp_chunk_length_valid check ahead of
sctp_sf_discard_chunk(), then replace it with sctp_sf_discard().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/sm_statefuns.c | 37 +++++++++++++++++++------------------
1 file changed, 19 insertions(+), 18 deletions(-)
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -2304,7 +2304,7 @@ enum sctp_disposition sctp_sf_shutdown_p
*/
if (SCTP_ADDR_DEL ==
sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
- return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
if (!sctp_err_chunk_valid(chunk))
return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
@@ -2350,7 +2350,7 @@ enum sctp_disposition sctp_sf_shutdown_s
*/
if (SCTP_ADDR_DEL ==
sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
- return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
if (!sctp_err_chunk_valid(chunk))
return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
@@ -2620,7 +2620,7 @@ enum sctp_disposition sctp_sf_do_9_1_abo
*/
if (SCTP_ADDR_DEL ==
sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
- return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
if (!sctp_err_chunk_valid(chunk))
return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
@@ -3787,6 +3787,11 @@ enum sctp_disposition sctp_sf_do_asconf(
return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
}
+ /* Make sure that the ASCONF ADDIP chunk has a valid length. */
+ if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk)))
+ return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
+ commands);
+
/* ADD-IP: Section 4.1.1
* This chunk MUST be sent in an authenticated way by using
* the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
@@ -3794,13 +3799,7 @@ enum sctp_disposition sctp_sf_do_asconf(
* described in [I-D.ietf-tsvwg-sctp-auth].
*/
if (!net->sctp.addip_noauth && !chunk->auth)
- return sctp_sf_discard_chunk(net, ep, asoc, type, arg,
- commands);
-
- /* Make sure that the ASCONF ADDIP chunk has a valid length. */
- if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk)))
- return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
- commands);
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
hdr = (struct sctp_addiphdr *)chunk->skb->data;
serial = ntohl(hdr->serial);
@@ -3929,6 +3928,12 @@ enum sctp_disposition sctp_sf_do_asconf_
return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
}
+ /* Make sure that the ADDIP chunk has a valid length. */
+ if (!sctp_chunk_length_valid(asconf_ack,
+ sizeof(struct sctp_addip_chunk)))
+ return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
+ commands);
+
/* ADD-IP, Section 4.1.2:
* This chunk MUST be sent in an authenticated way by using
* the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
@@ -3936,14 +3941,7 @@ enum sctp_disposition sctp_sf_do_asconf_
* described in [I-D.ietf-tsvwg-sctp-auth].
*/
if (!net->sctp.addip_noauth && !asconf_ack->auth)
- return sctp_sf_discard_chunk(net, ep, asoc, type, arg,
- commands);
-
- /* Make sure that the ADDIP chunk has a valid length. */
- if (!sctp_chunk_length_valid(asconf_ack,
- sizeof(struct sctp_addip_chunk)))
- return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
- commands);
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data;
rcvd_serial = ntohl(addip_hdr->serial);
@@ -4515,6 +4513,9 @@ enum sctp_disposition sctp_sf_discard_ch
{
struct sctp_chunk *chunk = arg;
+ if (asoc && !sctp_vtag_verify(chunk, asoc))
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
/* Make sure that the chunk has a valid length.
* Since we don't know the chunk type, we use a general
* chunkhdr structure to make a comparison.
next prev parent reply other threads:[~2022-03-21 14:05 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-21 13:51 [PATCH 4.19 00/57] 4.19.236-rc1 review Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 01/57] Revert "xfrm: state and policy should fail if XFRMA_IF_ID 0" Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 02/57] sctp: fix the processing for INIT chunk Greg Kroah-Hartman
2022-03-21 13:51 ` Greg Kroah-Hartman [this message]
2022-03-21 13:51 ` [PATCH 4.19 04/57] xfrm: Check if_id in xfrm_migrate Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 05/57] xfrm: Fix xfrm migrate issues when address family changes Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 06/57] arm64: dts: rockchip: fix rk3399-puma eMMC HS400 signal integrity Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 07/57] arm64: dts: rockchip: reorder rk3399 hdmi clocks Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 08/57] ARM: dts: rockchip: fix a typo on rk3288 crypto-controller Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 09/57] MIPS: smp: fill in sibling and core maps earlier Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 10/57] ARM: 9178/1: fix unmet dependency on BITREVERSE for HAVE_ARCH_BITREVERSE Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 11/57] can: rcar_canfd: rcar_canfd_channel_probe(): register the CAN device when fully ready Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 12/57] atm: firestream: check the return value of ioremap() in fs_init() Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 13/57] nl80211: Update bss channel on channel switch for P2P_CLIENT Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 14/57] tcp: make tcp_read_sock() more robust Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 15/57] sfc: extend the locking on mcdi->seqno Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 16/57] kselftest/vm: fix tests build with old libc Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 17/57] sched/topology: Make sched_init_numa() use a set for the deduplicating sort Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 18/57] sched/topology: Fix sched_domain_topology_level alloc in sched_init_numa() Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 19/57] ia64: ensure proper NUMA distance and possible map initialization Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 20/57] cpuset: Fix unsafe lock order between cpuset lock and cpuslock Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 21/57] mm: fix dereference a null pointer in migrate[_huge]_page_move_mapping() Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 22/57] fs: sysfs_emit: Remove PAGE_SIZE alignment check Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 23/57] arm64: Add part number for Arm Cortex-A77 Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 24/57] arm64: Add Neoverse-N2, Cortex-A710 CPU part definition Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 25/57] arm64: Add Cortex-X2 " Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 26/57] arm64: entry.S: Add ventry overflow sanity checks Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 27/57] arm64: entry: Make the trampoline cleanup optional Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 28/57] arm64: entry: Free up another register on kptis tramp_exit path Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 29/57] arm64: entry: Move the trampoline data page before the text page Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 30/57] arm64: entry: Allow tramp_alias to access symbols after the 4K boundary Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 31/57] arm64: entry: Dont assume tramp_vectors is the start of the vectors Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 32/57] arm64: entry: Move trampoline macros out of ifdefd section Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 33/57] arm64: entry: Make the kpti trampolines kpti sequence optional Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 34/57] arm64: entry: Allow the trampoline text to occupy multiple pages Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 35/57] arm64: entry: Add non-kpti __bp_harden_el1_vectors for mitigations Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 36/57] arm64: entry: Add vectors that have the bhb mitigation sequences Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 37/57] arm64: entry: Add macro for reading symbol addresses from the trampoline Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 38/57] arm64: Add percpu vectors for EL1 Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 39/57] arm64: proton-pack: Report Spectre-BHB vulnerabilities as part of Spectre-v2 Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 40/57] KVM: arm64: Add templates for BHB mitigation sequences Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 41/57] arm64: Mitigate spectre style branch history side channels Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 42/57] KVM: arm64: Allow SMCCC_ARCH_WORKAROUND_3 to be discovered and migrated Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 43/57] arm64: add ID_AA64ISAR2_EL1 sys register Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 44/57] arm64: Use the clearbhb instruction in mitigations Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 45/57] crypto: qcom-rng - ensure buffer for generate is completely filled Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 46/57] ocfs2: fix crash when initialize filecheck kobj fails Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 47/57] efi: fix return value of __setup handlers Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 48/57] net/packet: fix slab-out-of-bounds access in packet_recvmsg() Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 49/57] atm: eni: Add check for dma_map_single Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 50/57] hv_netvsc: Add check for kvmalloc_array Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 51/57] drm/panel: simple: Fix Innolux G070Y2-L01 BPP settings Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 52/57] net: handle ARPHRD_PIMREG in dev_is_mac_header_xmit() Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 53/57] net: dsa: Add missing of_node_put() in dsa_port_parse_of Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 54/57] usb: gadget: rndis: prevent integer overflow in rndis_set_response() Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 55/57] usb: gadget: Fix use-after-free bug by not setting udc->dev.driver Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 56/57] Input: aiptek - properly check endpoint type Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 57/57] perf symbols: Fix symbol size calculation condition Greg Kroah-Hartman
2022-03-21 18:00 ` [PATCH 4.19 00/57] 4.19.236-rc1 review Pavel Machek
2022-03-21 23:24 ` Shuah Khan
2022-03-22 1:59 ` Guenter Roeck
2022-03-22 12:54 ` Sudip Mukherjee
2022-03-22 15:23 ` Naresh Kamboju
2022-03-23 0:55 ` Samuel Zou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220321133222.085585303@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=marcelo.leitner@gmail.com \
--cc=ovidiu.panait@windriver.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox