All of lore.kernel.org
 help / color / mirror / Atom feed
* Patch "sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6" has been added to the 4.9-stable tree
@ 2018-04-11  9:03 gregkh
  0 siblings, 0 replies; only message in thread
From: gregkh @ 2018-04-11  9:03 UTC (permalink / raw)
  To: edumazet, davem, gregkh, nhorman, syzkaller, vyasevich
  Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From foo@baz Wed Apr 11 10:26:56 CEST 2018
From: Eric Dumazet <edumazet@google.com>
Date: Sun, 8 Apr 2018 07:52:08 -0700
Subject: sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6

From: Eric Dumazet <edumazet@google.com>


[ Upstream commit 81e98370293afcb58340ce8bd71af7b97f925c26 ]

Check must happen before call to ipv6_addr_v4mapped()

syzbot report was :

BUG: KMSAN: uninit-value in sctp_sockaddr_af net/sctp/socket.c:359 [inline]
BUG: KMSAN: uninit-value in sctp_do_bind+0x60f/0xdc0 net/sctp/socket.c:384
CPU: 0 PID: 3576 Comm: syzkaller968804 Not tainted 4.16.0+ #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
 sctp_sockaddr_af net/sctp/socket.c:359 [inline]
 sctp_do_bind+0x60f/0xdc0 net/sctp/socket.c:384
 sctp_bind+0x149/0x190 net/sctp/socket.c:332
 inet6_bind+0x1fd/0x1820 net/ipv6/af_inet6.c:293
 SYSC_bind+0x3f2/0x4b0 net/socket.c:1474
 SyS_bind+0x54/0x80 net/socket.c:1460
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x43fd49
RSP: 002b:00007ffe99df3d28 EFLAGS: 00000213 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd49
RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401670
R13: 0000000000401700 R14: 0000000000000000 R15: 0000000000000000

Local variable description: ----address@SYSC_bind
Variable was created at:
 SYSC_bind+0x6f/0x4b0 net/socket.c:1461
 SyS_bind+0x54/0x80 net/socket.c:1460

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Vlad Yasevich <vyasevich@gmail.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sctp/socket.c |   13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -335,11 +335,14 @@ static struct sctp_af *sctp_sockaddr_af(
 	if (!opt->pf->af_supported(addr->sa.sa_family, opt))
 		return NULL;
 
-	/* V4 mapped address are really of AF_INET family */
-	if (addr->sa.sa_family == AF_INET6 &&
-	    ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
-	    !opt->pf->af_supported(AF_INET, opt))
-		return NULL;
+	if (addr->sa.sa_family == AF_INET6) {
+		if (len < SIN6_LEN_RFC2133)
+			return NULL;
+		/* V4 mapped address are really of AF_INET family */
+		if (ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
+		    !opt->pf->af_supported(AF_INET, opt))
+			return NULL;
+	}
 
 	/* If we get this far, af is valid. */
 	af = sctp_get_af_specific(addr->sa.sa_family);


Patches currently in stable-queue which might be from edumazet@google.com are

queue-4.9/tcp-better-validation-of-received-ack-sequences.patch
queue-4.9/sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch
queue-4.9/net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch
queue-4.9/pptp-remove-a-buggy-dst-release-in-pptp_connect.patch
queue-4.9/x86-asm-don-t-use-rbp-as-a-temporary-register-in-csum_partial_copy_generic.patch
queue-4.9/net-fool-proof-dev_valid_name.patch
queue-4.9/ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch
queue-4.9/vti6-better-validate-user-provided-tunnel-names.patch
queue-4.9/ipv6-sit-better-validate-user-provided-tunnel-names.patch
queue-4.9/ip6_tunnel-better-validate-user-provided-tunnel-names.patch
queue-4.9/sctp-do-not-leak-kernel-memory-to-user-space.patch
queue-4.9/ip_tunnel-better-validate-user-provided-tunnel-names.patch
queue-4.9/skbuff-only-inherit-relevant-tx_flags.patch
queue-4.9/netlink-make-sure-nladdr-has-correct-size-in-netlink_connect.patch
queue-4.9/ip6_gre-better-validate-user-provided-tunnel-names.patch

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2018-04-11  9:05 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-11  9:03 Patch "sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6" has been added to the 4.9-stable tree gregkh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.