From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Ben Hutchings <ben.hutchings@codethink.co.uk>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Alexey Kodanev <alexey.kodanev@oracle.com>,
Marcelo Ricardo Leitner <marcelo.leinter@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH 4.4 31/36] sctp: verify size of a new chunk in _sctp_make_chunk()
Date: Tue, 13 Mar 2018 10:56:00 +0100 [thread overview]
Message-ID: <20180313095600.GA5131@kroah.com> (raw)
In-Reply-To: <1520902018.23626.90.camel@codethink.co.uk>
On Tue, Mar 13, 2018 at 12:46:58AM +0000, Ben Hutchings wrote:
> On Fri, 2018-03-09 at 16:18 -0800, Greg Kroah-Hartman wrote:
> > 4.4-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Alexey Kodanev <alexey.kodanev@oracle.com>
> >
> >
> > [ Upstream commit 07f2c7ab6f8d0a7e7c5764c4e6cc9c52951b9d9c ]
> >
> > When SCTP makes INIT or INIT_ACK packet the total chunk length
> > can exceed SCTP_MAX_CHUNK_LEN which leads to kernel panic when
> > transmitting these packets, e.g. the crash on sending INIT_ACK:
> >
> > [ 597.804948] skbuff: skb_over_panic: text:00000000ffae06e4 len:120168
> > put:120156 head:000000007aa47635 data:00000000d991c2de
> > tail:0x1d640 end:0xfec0 dev:<NULL>
> > ...
> > [ 597.976970] ------------[ cut here ]------------
> > [ 598.033408] kernel BUG at net/core/skbuff.c:104!
> > [ 600.314841] Call Trace:
> > [ 600.345829] <IRQ>
> > [ 600.371639] ? sctp_packet_transmit+0x2095/0x26d0 [sctp]
> > [ 600.436934] skb_put+0x16c/0x200
> > [ 600.477295] sctp_packet_transmit+0x2095/0x26d0 [sctp]
> > [ 600.540630] ? sctp_packet_config+0x890/0x890 [sctp]
> > [ 600.601781] ? __sctp_packet_append_chunk+0x3b4/0xd00 [sctp]
> > [ 600.671356] ? sctp_cmp_addr_exact+0x3f/0x90 [sctp]
> > [ 600.731482] sctp_outq_flush+0x663/0x30d0 [sctp]
> > [ 600.788565] ? sctp_make_init+0xbf0/0xbf0 [sctp]
> > [ 600.845555] ? sctp_check_transmitted+0x18f0/0x18f0 [sctp]
> > [ 600.912945] ? sctp_outq_tail+0x631/0x9d0 [sctp]
> > [ 600.969936] sctp_cmd_interpreter.isra.22+0x3be1/0x5cb0 [sctp]
> > [ 601.041593] ? sctp_sf_do_5_1B_init+0x85f/0xc30 [sctp]
> > [ 601.104837] ? sctp_generate_t1_cookie_event+0x20/0x20 [sctp]
> > [ 601.175436] ? sctp_eat_data+0x1710/0x1710 [sctp]
> > [ 601.233575] sctp_do_sm+0x182/0x560 [sctp]
> > [ 601.284328] ? sctp_has_association+0x70/0x70 [sctp]
> > [ 601.345586] ? sctp_rcv+0xef4/0x32f0 [sctp]
> > [ 601.397478] ? sctp6_rcv+0xa/0x20 [sctp]
> > ...
> >
> > Here the chunk size for INIT_ACK packet becomes too big, mostly
> > because of the state cookie (INIT packet has large size with
> > many address parameters), plus additional server parameters.
> >
> > Later this chunk causes the panic in skb_put_data():
> >
> > skb_packet_transmit()
> > sctp_packet_pack()
> > skb_put_data(nskb, chunk->skb->data, chunk->skb->len);
> >
> > 'nskb' (head skb) was previously allocated with packet->size
> > from u16 'chunk->chunk_hdr->length'.
> >
> > As suggested by Marcelo we should check the chunk's length in
> > _sctp_make_chunk() before trying to allocate skb for it and
> > discard a chunk if its size bigger than SCTP_MAX_CHUNK_LEN.
> >
> > > Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
> > > Acked-by: Marcelo Ricardo Leitner <marcelo.leinter@gmail.com>
> > > Acked-by: Neil Horman <nhorman@tuxdriver.com>
> > > Signed-off-by: David S. Miller <davem@davemloft.net>
> > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > ---
> > net/sctp/sm_make_chunk.c | 8 ++++++--
> > 1 file changed, 6 insertions(+), 2 deletions(-)
> >
> > --- a/net/sctp/sm_make_chunk.c
> > +++ b/net/sctp/sm_make_chunk.c
> > @@ -1367,10 +1367,14 @@ static struct sctp_chunk *_sctp_make_chu
> > sctp_chunkhdr_t *chunk_hdr;
> > struct sk_buff *skb;
> > struct sock *sk;
> > + int chunklen;
> > +
> > + chunklen = sizeof(*chunk_hdr) + paylen;
>
> I think this length still needs to be rounded up (with WORD_ROUND here,
> instead of SCTP_PAD4 upstream).
Ah, good point, how's this patch:
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 4ca31e052dd8..509e9426a056 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1369,7 +1369,7 @@ static struct sctp_chunk *_sctp_make_chunk(const struct sctp_association *asoc,
struct sock *sk;
int chunklen;
- chunklen = sizeof(*chunk_hdr) + paylen;
+ chunklen = WORD_ROUND(sizeof(*chunk_hdr) + paylen);
if (chunklen > SCTP_MAX_CHUNK_LEN)
goto nodata;
next prev parent reply other threads:[~2018-03-13 9:56 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-10 0:18 [PATCH 4.4 00/36] 4.4.121-stable review Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 01/36] tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the bus Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 02/36] tpm_i2c_infineon: " Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 03/36] tpm_i2c_nuvoton: " Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 04/36] ALSA: usb-audio: Add a quirck for B&W PX headphones Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 05/36] ALSA: hda: Add a power_save blacklist Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 06/36] cpufreq: s3c24xx: Fix broken s3c_cpufreq_init() Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 07/36] media: m88ds3103: dont call a non-initalized function Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 08/36] nospec: Allow index argument to have const-qualified type Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 09/36] ARM: mvebu: Fix broken PL310_ERRATA_753970 selects Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 10/36] KVM: mmu: Fix overlap between public and private memslots Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 11/36] x86/syscall: Sanitize syscall table de-references under speculation fix Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 12/36] btrfs: Dont clear SGID when inheriting ACLs Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 13/36] ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux Greg Kroah-Hartman
2018-03-12 23:29 ` Ben Hutchings
2018-03-14 21:31 ` Adam Ford
2018-03-16 12:32 ` Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 14/36] x86/apic/vector: Handle legacy irq data correctly Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 15/36] leds: do not overflow sysfs buffer in led_trigger_show Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 16/36] x86/spectre: Fix an error message Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 17/36] Revert "led: core: Fix brightness setting when setting delay_off=0" Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 18/36] bridge: check brport attr show in brport_show Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 19/36] fib_semantics: Dont match route with mismatching tclassid Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 20/36] hdlc_ppp: carrier detect ok, dont turn off negotiation Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 21/36] ipv6 sit: work around bogus gcc-8 -Wrestrict warning Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 22/36] net: fix race on decreasing number of TX queues Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 23/36] net: ipv4: dont allow setting net.ipv4.route.min_pmtu below 68 Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 24/36] netlink: ensure to loop over all netns in genlmsg_multicast_allns() Greg Kroah-Hartman
2018-03-13 0:04 ` Ben Hutchings
2018-03-14 17:06 ` Nicolas Dichtel
2018-03-14 20:10 ` [PATCH net] netlink: avoid a double skb free in genlmsg_mcast() Nicolas Dichtel
2018-03-16 16:36 ` David Miller
2018-03-10 0:18 ` [PATCH 4.4 25/36] ppp: prevent unregistered channels from connecting to PPP units Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 26/36] udplite: fix partial checksum initialization Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 27/36] sctp: fix dst refcnt leak in sctp_v4_get_dst Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 28/36] sctp: fix dst refcnt leak in sctp_v6_get_dst() Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 29/36] s390/qeth: fix SETIP command handling Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 30/36] s390/qeth: fix IPA command submission race Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 31/36] sctp: verify size of a new chunk in _sctp_make_chunk() Greg Kroah-Hartman
2018-03-13 0:46 ` Ben Hutchings
2018-03-13 9:56 ` Greg Kroah-Hartman [this message]
2018-03-14 16:23 ` Ben Hutchings
2018-03-10 0:18 ` [PATCH 4.4 32/36] net: mpls: Pull common label check into helper Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 33/36] mpls, nospec: Sanitize array index in mpls_label_ok() Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 34/36] dm io: fix duplicate bio completion due to missing ref count Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 35/36] bpf, x64: implement retpoline for tail call Greg Kroah-Hartman
2018-03-10 0:18 ` [PATCH 4.4 36/36] btrfs: preserve i_mode if __btrfs_set_acl() fails Greg Kroah-Hartman
2018-03-10 0:50 ` [PATCH 4.4 00/36] 4.4.121-stable review Nathan Chancellor
2018-03-10 1:03 ` Greg Kroah-Hartman
2018-03-10 1:07 ` Nathan Chancellor
2018-03-10 5:16 ` Shuah Khan
2018-03-10 7:19 ` kernelci.org bot
2018-03-10 15:43 ` Guenter Roeck
2018-03-12 11:39 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180313095600.GA5131@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=alexey.kodanev@oracle.com \
--cc=ben.hutchings@codethink.co.uk \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=marcelo.leinter@gmail.com \
--cc=nhorman@tuxdriver.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).