From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F0ABC43381 for ; Mon, 18 Mar 2019 11:58:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E57892084F for ; Mon, 18 Mar 2019 11:58:40 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="TvHVhN0P" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727390AbfCRL6k (ORCPT ); Mon, 18 Mar 2019 07:58:40 -0400 Received: from mail-pg1-f196.google.com ([209.85.215.196]:32885 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726777AbfCRL6j (ORCPT ); Mon, 18 Mar 2019 07:58:39 -0400 Received: by mail-pg1-f196.google.com with SMTP id i7so7999701pgq.0; Mon, 18 Mar 2019 04:58:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=G1HV3ogPA9wCbRS0RiExf/wfg6rojJnBUtRygfA3JfI=; b=TvHVhN0P1FRRIHOty2r8IzsuL0MYhCQf/T5Wj3eNkJsQuiXyvEQo4ElGUih9BDsEd3 aMlVOSUAKu+H3M8kdbto/eKty+rBaAoByKSuwa1LXYAbWO/X6Zu9w5uPQljnycS4xGCX 5Kbg4BHnVH1jRAiVe283PSjwcxJfp2baRyxFozQ0a11mBje9TlZcv1qOsou1nM2pRn/M vCKvp/jtzn5+i2VkWa9Z8APA9lxhYGhyZc1ru6Sm4Tm4zxNcqr0+8jjKOtWmnKjD3BpA nXKcvfiTPW6DQtl4DKFUVsd/xKv06aX+JxIgBeJgVoNvAzXTRutab1SmF4k/afzyL+sd N+LA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=G1HV3ogPA9wCbRS0RiExf/wfg6rojJnBUtRygfA3JfI=; b=oxJwk7N0wIKHqOBF03coM0znMoq6yMtsDVGcLx7CHdHn1Ja4OGhiTUMp7J/vsKtC5j ETWmfXS85TQxr9l+NuR9DbV3d23ssscy1MIUpVkk8yp3kV0hck5up+TjM4hamnzseXq7 0smMxX9u9lvfDQzazPuPbpLLU4rJInxxMAn5xZUaDoAd3tPkukMcR0/v9tpt+GmUn+sW 06m7cD4Gpt334aRqvmjC6CsPG367iB6Q1/+kr6mMkrszpSAHjqhp7+vYnPD3Mp2m5/G8 mUXZ/eZvHiWGLpPfN4jLRV0uoTLs+4xZCH6CfRQLj5FcW7YvWRDJQYLTt48N/rxyHWLM uwBg== X-Gm-Message-State: APjAAAV+r5SOjampBo647geaV/xMFU/1ASatsodPVH8LjydikcblYkH0 MDNv+ovs2Nx1tUxLcTrVLiuS/OuI+vk= X-Google-Smtp-Source: APXvYqz73X7C1R7aHfDIL3vQ/hmylasuTXnRzs3NHcufvQdG3976XpRZB+MG8RlxxcP3bpSLRA1ERg== X-Received: by 2002:a65:4806:: with SMTP id h6mr17351176pgs.408.1552910318515; Mon, 18 Mar 2019 04:58:38 -0700 (PDT) Received: from localhost ([209.132.188.80]) by smtp.gmail.com with ESMTPSA id d130sm1145124pfg.49.2019.03.18.04.58.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 18 Mar 2019 04:58:37 -0700 (PDT) From: Xin Long To: network dev , linux-sctp@vger.kernel.org Cc: davem@davemloft.net, Marcelo Ricardo Leitner , Neil Horman , syzkaller@googlegroups.com Subject: [PATCH net] sctp: not copy sctp_sock pd_lobby in sctp_copy_descendant Date: Mon, 18 Mar 2019 19:58:29 +0800 Message-Id: <130ce0bbbc015f9fb47f97b51c650843e2ac39a3.1552910309.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Now sctp_copy_descendant() copies pd_lobby from old sctp scok to new sctp sock. If sctp_sock_migrate() returns error, it will panic when releasing new sock and trying to purge pd_lobby due to the incorrect pointers in pd_lobby. [ 120.485116] kasan: CONFIG_KASAN_INLINE enabled [ 120.486270] kasan: GPF could be caused by NULL-ptr deref or user [ 120.509901] Call Trace: [ 120.510443] sctp_ulpevent_free+0x1e8/0x490 [sctp] [ 120.511438] sctp_queue_purge_ulpevents+0x97/0xe0 [sctp] [ 120.512535] sctp_close+0x13a/0x700 [sctp] [ 120.517483] inet_release+0xdc/0x1c0 [ 120.518215] __sock_release+0x1d2/0x2a0 [ 120.519025] sctp_do_peeloff+0x30f/0x3c0 [sctp] We fix it by not copying sctp_sock pd_lobby in sctp_copy_descendan(), and skb_queue_head_init() can also be removed in sctp_sock_migrate(). Reported-by: syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com Fixes: 89664c623617 ("sctp: sctp_sock_migrate() returns error if sctp_bind_addr_dup() fails") Signed-off-by: Xin Long --- net/sctp/socket.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 6140471..65b5386 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -9169,7 +9169,7 @@ static inline void sctp_copy_descendant(struct sock *sk_to, { int ancestor_size = sizeof(struct inet_sock) + sizeof(struct sctp_sock) - - offsetof(struct sctp_sock, auto_asconf_list); + offsetof(struct sctp_sock, pd_lobby); if (sk_from->sk_family == PF_INET6) ancestor_size += sizeof(struct ipv6_pinfo); @@ -9253,7 +9253,6 @@ static int sctp_sock_migrate(struct sock *oldsk, struct sock *newsk, * 2) Peeling off partial delivery; keep pd_lobby in new pd_lobby. * 3) Peeling off non-partial delivery; move pd_lobby to receive_queue. */ - skb_queue_head_init(&newsp->pd_lobby); atomic_set(&sctp_sk(newsk)->pd_mode, assoc->ulpq.pd_mode); if (atomic_read(&sctp_sk(oldsk)->pd_mode)) { -- 2.1.0 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Xin Long Date: Mon, 18 Mar 2019 11:58:29 +0000 Subject: [PATCH net] sctp: not copy sctp_sock pd_lobby in sctp_copy_descendant Message-Id: <130ce0bbbc015f9fb47f97b51c650843e2ac39a3.1552910309.git.lucien.xin@gmail.com> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: network dev , linux-sctp@vger.kernel.org Cc: davem@davemloft.net, Marcelo Ricardo Leitner , Neil Horman , syzkaller@googlegroups.com Now sctp_copy_descendant() copies pd_lobby from old sctp scok to new sctp sock. If sctp_sock_migrate() returns error, it will panic when releasing new sock and trying to purge pd_lobby due to the incorrect pointers in pd_lobby. [ 120.485116] kasan: CONFIG_KASAN_INLINE enabled [ 120.486270] kasan: GPF could be caused by NULL-ptr deref or user [ 120.509901] Call Trace: [ 120.510443] sctp_ulpevent_free+0x1e8/0x490 [sctp] [ 120.511438] sctp_queue_purge_ulpevents+0x97/0xe0 [sctp] [ 120.512535] sctp_close+0x13a/0x700 [sctp] [ 120.517483] inet_release+0xdc/0x1c0 [ 120.518215] __sock_release+0x1d2/0x2a0 [ 120.519025] sctp_do_peeloff+0x30f/0x3c0 [sctp] We fix it by not copying sctp_sock pd_lobby in sctp_copy_descendan(), and skb_queue_head_init() can also be removed in sctp_sock_migrate(). Reported-by: syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com Fixes: 89664c623617 ("sctp: sctp_sock_migrate() returns error if sctp_bind_addr_dup() fails") Signed-off-by: Xin Long --- net/sctp/socket.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 6140471..65b5386 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -9169,7 +9169,7 @@ static inline void sctp_copy_descendant(struct sock *sk_to, { int ancestor_size = sizeof(struct inet_sock) + sizeof(struct sctp_sock) - - offsetof(struct sctp_sock, auto_asconf_list); + offsetof(struct sctp_sock, pd_lobby); if (sk_from->sk_family = PF_INET6) ancestor_size += sizeof(struct ipv6_pinfo); @@ -9253,7 +9253,6 @@ static int sctp_sock_migrate(struct sock *oldsk, struct sock *newsk, * 2) Peeling off partial delivery; keep pd_lobby in new pd_lobby. * 3) Peeling off non-partial delivery; move pd_lobby to receive_queue. */ - skb_queue_head_init(&newsp->pd_lobby); atomic_set(&sctp_sk(newsk)->pd_mode, assoc->ulpq.pd_mode); if (atomic_read(&sctp_sk(oldsk)->pd_mode)) { -- 2.1.0