From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=qdq2=RG=vger.kernel.org=netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B09B2C43381
	for <netdev@archiver.kernel.org>; Sun,  3 Mar 2019 09:55:31 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 7CC3B20818
	for <netdev@archiver.kernel.org>; Sun,  3 Mar 2019 09:55:31 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PE4eCtWQ"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726117AbfCCJza (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Sun, 3 Mar 2019 04:55:30 -0500
Received: from mail-pf1-f193.google.com ([209.85.210.193]:37643 "EHLO
        mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726032AbfCCJza (ORCPT
        <rfc822;netdev@vger.kernel.org>); Sun, 3 Mar 2019 04:55:30 -0500
Received: by mail-pf1-f193.google.com with SMTP id s22so1042989pfh.4;
        Sun, 03 Mar 2019 01:55:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :in-reply-to:references;
        bh=S5ZDUEOzaJIkLT3N/JP8OWK4ff4WpuiGq/3+2UbfrpY=;
        b=PE4eCtWQQeefUjY3RV7ak8/3q05MvnUSi15aDlFmMyTuGw0AswXQExtfFQ1i9GuJJq
         r0runZUShcTn3eFm7fMd4M120ZuFJ/A7oCTcz5WmFbT6JG1RC+BdFxqwMVUNAXw3bNCe
         WYgoNPcZJLOYOqA2EpMZZO4YcJK4oZe3S7sE6WAQyjMLSU2LhsOYn06+jhWyxygqkoHl
         AthGf9CPFDRTKBwJkAULSdpmLBZ0688nm7SZd6UvBzokmCrHVCsyk4lXB2zo9oVAkWEw
         bQZkdCS9Ni+Ei7xi7EV682NkrWVd5H+MIIymctZOXdHE3oiH7JBTi7foos/WSHppP4ns
         Uo7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:in-reply-to:references;
        bh=S5ZDUEOzaJIkLT3N/JP8OWK4ff4WpuiGq/3+2UbfrpY=;
        b=b0gwe4AqLuV0FmMiu46HHmCt4OK6y/EigqjCfsexzpfK7aiAKRGP0NTGV0i1cPQ9Yo
         er5BNs5Wvqw/8dpVtwDPvJsXyFeeyTxnBQ+YRIxoeCt1I8shUymR/yPPE9lvelO7L+Hn
         oYb7CtOUTNP7egIhR2ezahMtO/Zr9LERCbuXQAthIlHOiqGJUD7eX/w1RhzBOqXB6inY
         9AVccOL1FFESo1bfQ50iEIRcgvGPIPuqrsp6PG7F2EVFyRcMN3mf3pk1QgkSBaWKGXEv
         nuGDTI24d4cC7Z7tDEbmC1PyUeGHXyNDI1PEU3rnOa/r1VzH4TZWikKiv6JeI1H10rCh
         oWDQ==
X-Gm-Message-State: APjAAAW796nK+AZJ72dKYNnq/LlggO301tTbhPyQ9lvLYXbOINrExRnz
        okHXLReDlT8OUbcAckiNxs+hQuo8
X-Google-Smtp-Source: APXvYqxNxLDKDpUeoUtfYDB/C62lovadlLGMZy8FS34pD82ln85mzT4Pb3R6bvV96Nkg6F/RWdrhNg==
X-Received: by 2002:a63:5a5e:: with SMTP id k30mr13312627pgm.345.1551606928980;
        Sun, 03 Mar 2019 01:55:28 -0800 (PST)
Received: from localhost ([209.132.188.80])
        by smtp.gmail.com with ESMTPSA id c13sm4952263pfm.34.2019.03.03.01.55.27
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 03 Mar 2019 01:55:28 -0800 (PST)
From:   Xin Long <lucien.xin@gmail.com>
To:     network dev <netdev@vger.kernel.org>, linux-sctp@vger.kernel.org
Cc:     davem@davemloft.net,
        Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
        Neil Horman <nhorman@tuxdriver.com>
Subject: [PATCH net 3/3] sctp: call sctp_auth_init_hmacs() in sctp_sock_migrate()
Date:   Sun,  3 Mar 2019 17:54:55 +0800
Message-Id: <0ed481dc54f3d2339dacc370784219fa623a33a6.1551606805.git.lucien.xin@gmail.com>
X-Mailer: git-send-email 2.1.0
In-Reply-To: <408620556c373e59442bf68f97cba3a03ac3267a.1551606805.git.lucien.xin@gmail.com>
References: <cover.1551606805.git.lucien.xin@gmail.com>
 <6837e72485125c8740900fd17fa84ac68b8892a5.1551606805.git.lucien.xin@gmail.com>
 <408620556c373e59442bf68f97cba3a03ac3267a.1551606805.git.lucien.xin@gmail.com>
In-Reply-To: <cover.1551606805.git.lucien.xin@gmail.com>
References: <cover.1551606805.git.lucien.xin@gmail.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

New ep's auth_hmacs should be set if old ep's is set, in case that
net->sctp.auth_enable has been changed to 0 by users and new ep's
auth_hmacs couldn't be set in sctp_endpoint_init().

It can even crash kernel by doing:

  1. on server: sysctl -w net.sctp.auth_enable=1,
                sysctl -w net.sctp.addip_enable=1,
                sysctl -w net.sctp.addip_noauth_enable=0,
                listen() on server,
                sysctl -w net.sctp.auth_enable=0.
  2. on client: connect() to server.
  3. on server: accept() the asoc,
                sysctl -w net.sctp.auth_enable=1.
  4. on client: send() asconf packet to server.

The call trace:

  [  245.280251] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
  [  245.286872] RIP: 0010:sctp_auth_calculate_hmac+0xa3/0x140 [sctp]
  [  245.304572] Call Trace:
  [  245.305091]  <IRQ>
  [  245.311287]  sctp_sf_authenticate+0x110/0x160 [sctp]
  [  245.312311]  sctp_sf_eat_auth+0xf2/0x230 [sctp]
  [  245.313249]  sctp_do_sm+0x9a/0x2d0 [sctp]
  [  245.321483]  sctp_assoc_bh_rcv+0xed/0x1a0 [sctp]
  [  245.322495]  sctp_rcv+0xa66/0xc70 [sctp]

It's because the old ep->auth_hmacs wasn't copied to the new ep while
ep->auth_hmacs is used in sctp_auth_calculate_hmac() when processing
the incoming auth chunks, and it should have been done when migrating
sock.

Reported-by: Ying Xu <yinxu@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 net/sctp/socket.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 22adb8d..def3335 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -8978,6 +8978,16 @@ static int sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
 	if (err)
 		return err;
 
+	/* New ep's auth_hmacs should be set if old ep's is set, in case
+	 * that net->sctp.auth_enable has been changed to 0 by users and
+	 * new ep's auth_hmacs couldn't be set in sctp_endpoint_init().
+	 */
+	if (oldsp->ep->auth_hmacs) {
+		err = sctp_auth_init_hmacs(newsp->ep, GFP_KERNEL);
+		if (err)
+			return err;
+	}
+
 	/* Move any messages in the old socket's receive queue that are for the
 	 * peeled off association to the new socket's receive queue.
 	 */
-- 
2.1.0


From mboxrd@z Thu Jan  1 00:00:00 1970
From: Xin Long <lucien.xin@gmail.com>
Date: Sun, 03 Mar 2019 09:54:55 +0000
Subject: [PATCH net 3/3] sctp: call sctp_auth_init_hmacs() in sctp_sock_migrate()
Message-Id: <0ed481dc54f3d2339dacc370784219fa623a33a6.1551606805.git.lucien.xin@gmail.com>
List-Id: <linux-sctp.vger.kernel.org>
References: <cover.1551606805.git.lucien.xin@gmail.com>
 <6837e72485125c8740900fd17fa84ac68b8892a5.1551606805.git.lucien.xin@gmail.com>
 <408620556c373e59442bf68f97cba3a03ac3267a.1551606805.git.lucien.xin@gmail.com>
In-Reply-To: <408620556c373e59442bf68f97cba3a03ac3267a.1551606805.git.lucien.xin@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: network dev <netdev@vger.kernel.org>, linux-sctp@vger.kernel.org
Cc: davem@davemloft.net, Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>, Neil Horman <nhorman@tuxdriver.com>

New ep's auth_hmacs should be set if old ep's is set, in case that
net->sctp.auth_enable has been changed to 0 by users and new ep's
auth_hmacs couldn't be set in sctp_endpoint_init().

It can even crash kernel by doing:

  1. on server: sysctl -w net.sctp.auth_enable=1,
                sysctl -w net.sctp.addip_enable=1,
                sysctl -w net.sctp.addip_noauth_enable=0,
                listen() on server,
                sysctl -w net.sctp.auth_enable=0.
  2. on client: connect() to server.
  3. on server: accept() the asoc,
                sysctl -w net.sctp.auth_enable=1.
  4. on client: send() asconf packet to server.

The call trace:

  [  245.280251] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
  [  245.286872] RIP: 0010:sctp_auth_calculate_hmac+0xa3/0x140 [sctp]
  [  245.304572] Call Trace:
  [  245.305091]  <IRQ>
  [  245.311287]  sctp_sf_authenticate+0x110/0x160 [sctp]
  [  245.312311]  sctp_sf_eat_auth+0xf2/0x230 [sctp]
  [  245.313249]  sctp_do_sm+0x9a/0x2d0 [sctp]
  [  245.321483]  sctp_assoc_bh_rcv+0xed/0x1a0 [sctp]
  [  245.322495]  sctp_rcv+0xa66/0xc70 [sctp]

It's because the old ep->auth_hmacs wasn't copied to the new ep while
ep->auth_hmacs is used in sctp_auth_calculate_hmac() when processing
the incoming auth chunks, and it should have been done when migrating
sock.

Reported-by: Ying Xu <yinxu@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 net/sctp/socket.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 22adb8d..def3335 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -8978,6 +8978,16 @@ static int sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
 	if (err)
 		return err;
 
+	/* New ep's auth_hmacs should be set if old ep's is set, in case
+	 * that net->sctp.auth_enable has been changed to 0 by users and
+	 * new ep's auth_hmacs couldn't be set in sctp_endpoint_init().
+	 */
+	if (oldsp->ep->auth_hmacs) {
+		err = sctp_auth_init_hmacs(newsp->ep, GFP_KERNEL);
+		if (err)
+			return err;
+	}
+
 	/* Move any messages in the old socket's receive queue that are for the
 	 * peeled off association to the new socket's receive queue.
 	 */
-- 
2.1.0