public-mirrors/linux
1
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-08-05 08:43:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/net
History
Neil Horman 0aee4c2598 sctp: Fix double free in sctp_sendmsg_to_asoc 
syzbot/kasan detected a double free in sctp_sendmsg_to_asoc:
BUG: KASAN: use-after-free in sctp_association_free+0x7b7/0x930
net/sctp/associola.c:332
Read of size 8 at addr ffff8801d8006ae0 by task syzkaller914861/4202

CPU: 1 PID: 4202 Comm: syzkaller914861 Not tainted 4.16.0-rc4+ #258
Hardware name: Google Google Compute Engine/Google Compute Engine
01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23c/0x360 mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 sctp_association_free+0x7b7/0x930 net/sctp/associola.c:332
 sctp_sendmsg+0xc67/0x1a80 net/sctp/socket.c:2075
 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:639
 SYSC_sendto+0x361/0x5c0 net/socket.c:1748
 SyS_sendto+0x40/0x50 net/socket.c:1716
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

This was introduced by commit:
f84af33 sctp: factor out sctp_sendmsg_to_asoc from sctp_sendmsg

As the newly refactored function moved the wait_for_sndbuf call to a
point after the association was connected, allowing for peeloff events
to occur, which in turn caused wait_for_sndbuf to return -EPIPE which
was not caught by the logic that determines if an association should be
freed or not.

Fix it the easy way by returning the ordering of
sctp_primitive_ASSOCIATE and sctp_wait_for_sndbuf to the old order, to
ensure that EPIPE will not happen.

Tested by myself using the syzbot reproducers with positive results

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: davem@davemloft.net
CC: Xin Long <lucien.xin@gmail.com>
Reported-by: syzbot+a4e4112c3aff00c8cfd8@syzkaller.appspotmail.com
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-15 14:32:04 -04:00
..
6lowpan
9p
802
8021q
appletalk
atm
ax25
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-03-06 01:20:46 -05:00
bluetooth
bpf
bridge Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-03-06 01:20:46 -05:00
caif net: Convert caif_net_ops 2018-03-05 10:48:27 -05:00
can net: Convert cangw_pernet_ops 2018-03-05 10:48:27 -05:00
ceph
core sock: remove zerocopy sockopt restriction on closed tcp state 2018-03-14 12:51:28 -04:00
dcb
dccp net: Convert dccp_v6_ops 2018-03-05 10:48:28 -05:00
decnet
dns_resolver
dsa dsa: Pass the port to get_sset_count() 2018-03-04 13:34:18 -05:00
ethernet
hsr
ieee802154
ife
ipv4 net: do not create fallback tunnels for non-default namespaces 2018-03-09 11:23:11 -05:00
ipv6 ipv6: Use ip6_multipath_hash_policy() in rt6_multipath_hash(). 2018-03-12 11:09:33 -04:00
iucv
kcm
key
l2tp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-03-06 01:20:46 -05:00
l3mdev
lapb
llc net: llc: drop VLA in llc_sap_mcast() 2018-03-12 11:14:06 -04:00
mac80211 net: drivers/net: Remove unnecessary skb_copy_expand OOM messages 2018-03-15 14:28:03 -04:00
mac802154
mpls net: rename skb_gso_validate_mtu -> skb_gso_validate_network_len 2018-03-04 17:49:17 -05:00
ncsi net/ncsi: unlock on error in ncsi_set_interface_nl() 2018-03-08 21:49:58 -05:00
netfilter net: drivers/net: Remove unnecessary skb_copy_expand OOM messages 2018-03-15 14:28:03 -04:00
netlabel
netlink
netrom
nfc
nsh
openvswitch openvswitch: fix vport packet length check. 2018-03-08 12:50:29 -05:00
packet
phonet
psample
qrtr Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-03-06 01:20:46 -05:00
rds net: Convert rds_tcp_net_ops 2018-03-13 11:24:56 -04:00
rfkill
rose
rxrpc
sched net sched actions: implement get_fill_size routine in act_gact 2018-03-09 11:25:12 -05:00
sctp sctp: Fix double free in sctp_sendmsg_to_asoc 2018-03-15 14:32:04 -04:00
smc net/smc: schedule free_work when link group is terminated 2018-03-14 13:40:44 -04:00
strparser
sunrpc
switchdev
tipc net: Convert tipc_net_ops 2018-03-13 11:24:56 -04:00
tls
unix
vmw_vsock
wimax
wireless Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-03-06 01:20:46 -05:00
x25
xfrm net: Convert xfrm_user_net_ops 2018-03-08 12:36:43 -05:00
compat.c
Kconfig
Makefile
socket.c socket: skip checking sk_err for recvmmsg(MSG_ERRQUEUE) 2018-03-01 21:27:49 -05:00
sysctl_net.c