From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alexander Potapenko <glider@google.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 08/16] net/sctp: Always set scope_id in sctp_inet6_skb_msgname
Date: Wed, 22 Nov 2017 11:12:01 +0100 [thread overview]
Message-ID: <20171122101111.171385746@linuxfoundation.org> (raw)
In-Reply-To: <20171122101110.784746358@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
[ Upstream commit 7c8a61d9ee1df0fb4747879fa67a99614eb62fec ]
Alexandar Potapenko while testing the kernel with KMSAN and syzkaller
discovered that in some configurations sctp would leak 4 bytes of
kernel stack.
Working with his reproducer I discovered that those 4 bytes that
are leaked is the scope id of an ipv6 address returned by recvmsg.
With a little code inspection and a shrewd guess I discovered that
sctp_inet6_skb_msgname only initializes the scope_id field for link
local ipv6 addresses to the interface index the link local address
pertains to instead of initializing the scope_id field for all ipv6
addresses.
That is almost reasonable as scope_id's are meaniningful only for link
local addresses. Set the scope_id in all other cases to 0 which is
not a valid interface index to make it clear there is nothing useful
in the scope_id field.
There should be no danger of breaking userspace as the stack leak
guaranteed that previously meaningless random data was being returned.
Fixes: 372f525b495c ("SCTP: Resync with LKSCTP tree.")
History-tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Reported-by: Alexander Potapenko <glider@google.com>
Tested-by: Alexander Potapenko <glider@google.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/ipv6.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -806,6 +806,8 @@ static void sctp_inet6_skb_msgname(struc
if (ipv6_addr_type(&addr->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) {
struct sctp_ulpevent *ev = sctp_skb2event(skb);
addr->v6.sin6_scope_id = ev->iif;
+ } else {
+ addr->v6.sin6_scope_id = 0;
}
}
next prev parent reply other threads:[~2017-11-22 10:13 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-22 10:11 [PATCH 4.4 00/16] 4.4.101-stable review Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 4.4 01/16] tcp: do not mangle skb->cb[] in tcp_make_synack() Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 4.4 02/16] netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 4.4 03/16] bonding: discard lowest hash bit for 802.3ad layer3+4 Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 4.4 04/16] vlan: fix a use-after-free in vlan_device_event() Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 4.4 05/16] af_netlink: ensure that NLMSG_DONE never fails in dumps Greg Kroah-Hartman
2017-11-22 10:11 ` [PATCH 4.4 06/16] sctp: do not peel off an assoc from one netns to another one Greg Kroah-Hartman
2017-11-22 10:12 ` [PATCH 4.4 07/16] fealnx: Fix building error on MIPS Greg Kroah-Hartman
2017-11-22 10:12 ` Greg Kroah-Hartman [this message]
2017-11-22 10:12 ` [PATCH 4.4 09/16] ima: do not update security.ima if appraisal status is not INTEGRITY_PASS Greg Kroah-Hartman
2017-11-22 10:12 ` [PATCH 4.4 10/16] serial: omap: Fix EFR write on RTS deassertion Greg Kroah-Hartman
2017-11-22 10:12 ` [PATCH 4.4 11/16] arm64: fix dump_instr when PAN and UAO are in use Greg Kroah-Hartman
2017-11-22 10:12 ` [PATCH 4.4 12/16] [PATCH-stable] nvme: Fix memory order on async queue deletion Greg Kroah-Hartman
2017-11-22 10:12 ` [PATCH 4.4 13/16] ocfs2: should wait dio before inode lock in ocfs2_setattr() Greg Kroah-Hartman
2017-12-05 15:49 ` Ben Hutchings
2017-12-06 1:02 ` alex chen
2017-12-06 16:36 ` Greg Kroah-Hartman
2017-12-07 18:25 ` Ben Hutchings
2017-12-08 0:39 ` alex chen
2017-12-08 2:26 ` Ben Hutchings
2017-12-08 4:03 ` alex chen
2017-12-08 5:36 ` Ben Hutchings
2017-12-08 6:16 ` alex chen
2017-12-08 10:04 ` Changwei Ge
2017-12-12 1:34 ` alex chen
2017-11-22 10:12 ` [PATCH 4.4 14/16] ipmi: fix unsigned long underflow Greg Kroah-Hartman
2017-11-22 10:12 ` [PATCH 4.4 15/16] mm/page_alloc.c: broken deferred calculation Greg Kroah-Hartman
2017-11-22 10:12 ` [PATCH 4.4 16/16] coda: fix kernel memory exposure attempt in fsync Greg Kroah-Hartman
2017-11-22 15:29 ` [PATCH 4.4 00/16] 4.4.101-stable review Nathan Chancellor
2017-11-22 17:05 ` Greg Kroah-Hartman
2017-11-22 17:38 ` Nathan Chancellor
2017-11-22 21:32 ` Guenter Roeck
2017-11-23 14:28 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171122101111.171385746@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=glider@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).