From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.5 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27BE7C43381 for ; Wed, 6 Mar 2019 18:27:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 084A8206DD for ; Wed, 6 Mar 2019 18:27:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726756AbfCFS1L (ORCPT ); Wed, 6 Mar 2019 13:27:11 -0500 Received: from charlotte.tuxdriver.com ([70.61.120.58]:49409 "EHLO smtp.tuxdriver.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725747AbfCFS1K (ORCPT ); Wed, 6 Mar 2019 13:27:10 -0500 Received: from [216.85.170.145] (helo=localhost) by smtp.tuxdriver.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1h1bFu-00037g-6G; Wed, 06 Mar 2019 13:27:04 -0500 Date: Wed, 6 Mar 2019 13:26:56 -0500 From: Neil Horman To: Xin Long Cc: network dev , linux-sctp@vger.kernel.org, davem@davemloft.net, Marcelo Ricardo Leitner Subject: Re: [PATCH net 3/3] sctp: call sctp_auth_init_hmacs() in sctp_sock_migrate() Message-ID: <20190306182656.GD10683@neilslaptop.think-freely.org> References: <0ed481dc54f3d2339dacc370784219fa623a33a6.1551606805.git.lucien.xin@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0ed481dc54f3d2339dacc370784219fa623a33a6.1551606805.git.lucien.xin@gmail.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Sun, Mar 03, 2019 at 05:54:55PM +0800, Xin Long wrote: > New ep's auth_hmacs should be set if old ep's is set, in case that > net->sctp.auth_enable has been changed to 0 by users and new ep's > auth_hmacs couldn't be set in sctp_endpoint_init(). > > It can even crash kernel by doing: > > 1. on server: sysctl -w net.sctp.auth_enable=1, > sysctl -w net.sctp.addip_enable=1, > sysctl -w net.sctp.addip_noauth_enable=0, > listen() on server, > sysctl -w net.sctp.auth_enable=0. > 2. on client: connect() to server. > 3. on server: accept() the asoc, > sysctl -w net.sctp.auth_enable=1. > 4. on client: send() asconf packet to server. > > The call trace: > > [ 245.280251] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 > [ 245.286872] RIP: 0010:sctp_auth_calculate_hmac+0xa3/0x140 [sctp] > [ 245.304572] Call Trace: > [ 245.305091] > [ 245.311287] sctp_sf_authenticate+0x110/0x160 [sctp] > [ 245.312311] sctp_sf_eat_auth+0xf2/0x230 [sctp] > [ 245.313249] sctp_do_sm+0x9a/0x2d0 [sctp] > [ 245.321483] sctp_assoc_bh_rcv+0xed/0x1a0 [sctp] > [ 245.322495] sctp_rcv+0xa66/0xc70 [sctp] > > It's because the old ep->auth_hmacs wasn't copied to the new ep while > ep->auth_hmacs is used in sctp_auth_calculate_hmac() when processing > the incoming auth chunks, and it should have been done when migrating > sock. > > Reported-by: Ying Xu > Signed-off-by: Xin Long > --- > net/sctp/socket.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/net/sctp/socket.c b/net/sctp/socket.c > index 22adb8d..def3335 100644 > --- a/net/sctp/socket.c > +++ b/net/sctp/socket.c > @@ -8978,6 +8978,16 @@ static int sctp_sock_migrate(struct sock *oldsk, struct sock *newsk, > if (err) > return err; > > + /* New ep's auth_hmacs should be set if old ep's is set, in case > + * that net->sctp.auth_enable has been changed to 0 by users and > + * new ep's auth_hmacs couldn't be set in sctp_endpoint_init(). > + */ > + if (oldsp->ep->auth_hmacs) { > + err = sctp_auth_init_hmacs(newsp->ep, GFP_KERNEL); > + if (err) > + return err; > + } > + > /* Move any messages in the old socket's receive queue that are for the > * peeled off association to the new socket's receive queue. > */ > -- > 2.1.0 > > Acked-by: Neil Horman