From: Xin Long <lucien.xin@gmail.com> To: network dev <netdev@vger.kernel.org>, linux-sctp@vger.kernel.org Cc: davem@davemloft.net, Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>, Neil Horman <nhorman@tuxdriver.com> Subject: [PATCH net 3/3] sctp: call sctp_auth_init_hmacs() in sctp_sock_migrate() Date: Sun, 3 Mar 2019 17:54:55 +0800 [thread overview] Message-ID: <0ed481dc54f3d2339dacc370784219fa623a33a6.1551606805.git.lucien.xin@gmail.com> (raw) In-Reply-To: <408620556c373e59442bf68f97cba3a03ac3267a.1551606805.git.lucien.xin@gmail.com> In-Reply-To: <cover.1551606805.git.lucien.xin@gmail.com> New ep's auth_hmacs should be set if old ep's is set, in case that net->sctp.auth_enable has been changed to 0 by users and new ep's auth_hmacs couldn't be set in sctp_endpoint_init(). It can even crash kernel by doing: 1. on server: sysctl -w net.sctp.auth_enable=1, sysctl -w net.sctp.addip_enable=1, sysctl -w net.sctp.addip_noauth_enable=0, listen() on server, sysctl -w net.sctp.auth_enable=0. 2. on client: connect() to server. 3. on server: accept() the asoc, sysctl -w net.sctp.auth_enable=1. 4. on client: send() asconf packet to server. The call trace: [ 245.280251] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 [ 245.286872] RIP: 0010:sctp_auth_calculate_hmac+0xa3/0x140 [sctp] [ 245.304572] Call Trace: [ 245.305091] <IRQ> [ 245.311287] sctp_sf_authenticate+0x110/0x160 [sctp] [ 245.312311] sctp_sf_eat_auth+0xf2/0x230 [sctp] [ 245.313249] sctp_do_sm+0x9a/0x2d0 [sctp] [ 245.321483] sctp_assoc_bh_rcv+0xed/0x1a0 [sctp] [ 245.322495] sctp_rcv+0xa66/0xc70 [sctp] It's because the old ep->auth_hmacs wasn't copied to the new ep while ep->auth_hmacs is used in sctp_auth_calculate_hmac() when processing the incoming auth chunks, and it should have been done when migrating sock. Reported-by: Ying Xu <yinxu@redhat.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> --- net/sctp/socket.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 22adb8d..def3335 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -8978,6 +8978,16 @@ static int sctp_sock_migrate(struct sock *oldsk, struct sock *newsk, if (err) return err; + /* New ep's auth_hmacs should be set if old ep's is set, in case + * that net->sctp.auth_enable has been changed to 0 by users and + * new ep's auth_hmacs couldn't be set in sctp_endpoint_init(). + */ + if (oldsp->ep->auth_hmacs) { + err = sctp_auth_init_hmacs(newsp->ep, GFP_KERNEL); + if (err) + return err; + } + /* Move any messages in the old socket's receive queue that are for the * peeled off association to the new socket's receive queue. */ -- 2.1.0
WARNING: multiple messages have this Message-ID (diff)
From: Xin Long <lucien.xin@gmail.com> To: network dev <netdev@vger.kernel.org>, linux-sctp@vger.kernel.org Cc: davem@davemloft.net, Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>, Neil Horman <nhorman@tuxdriver.com> Subject: [PATCH net 3/3] sctp: call sctp_auth_init_hmacs() in sctp_sock_migrate() Date: Sun, 03 Mar 2019 09:54:55 +0000 [thread overview] Message-ID: <0ed481dc54f3d2339dacc370784219fa623a33a6.1551606805.git.lucien.xin@gmail.com> (raw) In-Reply-To: <408620556c373e59442bf68f97cba3a03ac3267a.1551606805.git.lucien.xin@gmail.com> New ep's auth_hmacs should be set if old ep's is set, in case that net->sctp.auth_enable has been changed to 0 by users and new ep's auth_hmacs couldn't be set in sctp_endpoint_init(). It can even crash kernel by doing: 1. on server: sysctl -w net.sctp.auth_enable=1, sysctl -w net.sctp.addip_enable=1, sysctl -w net.sctp.addip_noauth_enable=0, listen() on server, sysctl -w net.sctp.auth_enable=0. 2. on client: connect() to server. 3. on server: accept() the asoc, sysctl -w net.sctp.auth_enable=1. 4. on client: send() asconf packet to server. The call trace: [ 245.280251] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 [ 245.286872] RIP: 0010:sctp_auth_calculate_hmac+0xa3/0x140 [sctp] [ 245.304572] Call Trace: [ 245.305091] <IRQ> [ 245.311287] sctp_sf_authenticate+0x110/0x160 [sctp] [ 245.312311] sctp_sf_eat_auth+0xf2/0x230 [sctp] [ 245.313249] sctp_do_sm+0x9a/0x2d0 [sctp] [ 245.321483] sctp_assoc_bh_rcv+0xed/0x1a0 [sctp] [ 245.322495] sctp_rcv+0xa66/0xc70 [sctp] It's because the old ep->auth_hmacs wasn't copied to the new ep while ep->auth_hmacs is used in sctp_auth_calculate_hmac() when processing the incoming auth chunks, and it should have been done when migrating sock. Reported-by: Ying Xu <yinxu@redhat.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> --- net/sctp/socket.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 22adb8d..def3335 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -8978,6 +8978,16 @@ static int sctp_sock_migrate(struct sock *oldsk, struct sock *newsk, if (err) return err; + /* New ep's auth_hmacs should be set if old ep's is set, in case + * that net->sctp.auth_enable has been changed to 0 by users and + * new ep's auth_hmacs couldn't be set in sctp_endpoint_init(). + */ + if (oldsp->ep->auth_hmacs) { + err = sctp_auth_init_hmacs(newsp->ep, GFP_KERNEL); + if (err) + return err; + } + /* Move any messages in the old socket's receive queue that are for the * peeled off association to the new socket's receive queue. */ -- 2.1.0
next prev parent reply other threads:[~2019-03-03 9:55 UTC|newest] Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-03-03 9:54 [PATCH net 0/3] sctp: process the error returned from sctp_sock_migrate() Xin Long 2019-03-03 9:54 ` Xin Long 2019-03-03 9:54 ` [PATCH net 1/3] sctp: sctp_sock_migrate() returns error if sctp_bind_addr_dup() fails Xin Long 2019-03-03 9:54 ` Xin Long 2019-03-03 9:54 ` [PATCH net 2/3] sctp: move up sctp_auth_init_hmacs() in sctp_endpoint_init() Xin Long 2019-03-03 9:54 ` Xin Long 2019-03-03 9:54 ` Xin Long [this message] 2019-03-03 9:54 ` [PATCH net 3/3] sctp: call sctp_auth_init_hmacs() in sctp_sock_migrate() Xin Long 2019-03-06 18:26 ` Neil Horman 2019-03-06 18:26 ` Neil Horman 2019-03-06 18:24 ` [PATCH net 2/3] sctp: move up sctp_auth_init_hmacs() in sctp_endpoint_init() Neil Horman 2019-03-06 18:24 ` Neil Horman 2019-03-06 18:21 ` [PATCH net 1/3] sctp: sctp_sock_migrate() returns error if sctp_bind_addr_dup() fails Neil Horman 2019-03-06 18:21 ` Neil Horman 2019-03-07 10:06 ` Xin Long 2019-03-07 10:06 ` Xin Long 2019-03-07 11:59 ` Neil Horman 2019-03-07 11:59 ` Neil Horman 2019-03-07 18:25 ` Marcelo Ricardo Leitner 2019-03-07 18:25 ` Marcelo Ricardo Leitner 2019-03-08 3:48 ` Xin Long 2019-03-08 3:48 ` Xin Long 2019-03-08 16:59 ` Marcelo Ricardo Leitner 2019-03-08 16:59 ` Marcelo Ricardo Leitner 2019-03-04 19:04 ` [PATCH net 0/3] sctp: process the error returned from sctp_sock_migrate() David Miller 2019-03-04 19:04 ` David Miller 2019-03-07 14:59 ` Marcelo Ricardo Leitner 2019-03-07 14:59 ` Marcelo Ricardo Leitner 2019-03-07 12:11 ` Neil Horman 2019-03-07 12:11 ` Neil Horman 2019-03-08 17:00 ` Marcelo Ricardo Leitner 2019-03-08 17:00 ` Marcelo Ricardo Leitner 2019-03-08 19:43 ` David Miller 2019-03-08 19:43 ` David Miller
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=0ed481dc54f3d2339dacc370784219fa623a33a6.1551606805.git.lucien.xin@gmail.com \ --to=lucien.xin@gmail.com \ --cc=davem@davemloft.net \ --cc=linux-sctp@vger.kernel.org \ --cc=marcelo.leitner@gmail.com \ --cc=netdev@vger.kernel.org \ --cc=nhorman@tuxdriver.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.