From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758915AbcJYMXz (ORCPT ); Tue, 25 Oct 2016 08:23:55 -0400 Received: from mail-lf0-f43.google.com ([209.85.215.43]:33006 "EHLO mail-lf0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758640AbcJYMXv (ORCPT ); Tue, 25 Oct 2016 08:23:51 -0400 MIME-Version: 1.0 In-Reply-To: <20161024194422.GF2958@localhost.localdomain> References: <20161024194422.GF2958@localhost.localdomain> From: Andrey Konovalov Date: Tue, 25 Oct 2016 14:23:48 +0200 Message-ID: Subject: Re: net/sctp: slab-out-of-bounds in sctp_sf_ootb To: Marcelo Ricardo Leitner Cc: Vlad Yasevich , Neil Horman , "David S. Miller" , linux-sctp@vger.kernel.org, netdev , LKML , syzkaller , Kostya Serebryany , Alexander Potapenko , Eric Dumazet , Dmitry Vyukov Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Marcelo, I can confirm that your patch fixes the issue for me. Tested-by: Andrey Konovalov On Mon, Oct 24, 2016 at 9:44 PM, Marcelo Ricardo Leitner wrote: > Hi Andrey, > > On Mon, Oct 24, 2016 at 05:30:04PM +0200, Andrey Konovalov wrote: >> The problem is that sctp_walk_errors walks the chunk before its length >> is checked for overflow. > > Exactly. The check is done too late, for the 2nd and subsequent chunks > only. > Please try the following patch, thanks. Note: not even compile tested. > > ---8<--- > > diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c > index 026e3bca4a94..8ec20a64a3f8 100644 > --- a/net/sctp/sm_statefuns.c > +++ b/net/sctp/sm_statefuns.c > @@ -3422,6 +3422,12 @@ sctp_disposition_t sctp_sf_ootb(struct net *net, > return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, > commands); > > + /* Report violation if chunk len overflows */ > + ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length)); > + if (ch_end > skb_tail_pointer(skb)) > + return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, > + commands); > + > /* Now that we know we at least have a chunk header, > * do things that are type appropriate. > */ > @@ -3453,12 +3459,6 @@ sctp_disposition_t sctp_sf_ootb(struct net *net, > } > } > > - /* Report violation if chunk len overflows */ > - ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length)); > - if (ch_end > skb_tail_pointer(skb)) > - return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, > - commands); > - > ch = (sctp_chunkhdr_t *) ch_end; > } while (ch_end < skb_tail_pointer(skb)); > From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrey Konovalov Date: Tue, 25 Oct 2016 12:23:48 +0000 Subject: Re: net/sctp: slab-out-of-bounds in sctp_sf_ootb Message-Id: List-Id: References: <20161024194422.GF2958@localhost.localdomain> In-Reply-To: <20161024194422.GF2958@localhost.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Marcelo Ricardo Leitner Cc: Vlad Yasevich , Neil Horman , "David S. Miller" , linux-sctp@vger.kernel.org, netdev , LKML , syzkaller , Kostya Serebryany , Alexander Potapenko , Eric Dumazet , Dmitry Vyukov Hi Marcelo, I can confirm that your patch fixes the issue for me. Tested-by: Andrey Konovalov On Mon, Oct 24, 2016 at 9:44 PM, Marcelo Ricardo Leitner wrote: > Hi Andrey, > > On Mon, Oct 24, 2016 at 05:30:04PM +0200, Andrey Konovalov wrote: >> The problem is that sctp_walk_errors walks the chunk before its length >> is checked for overflow. > > Exactly. The check is done too late, for the 2nd and subsequent chunks > only. > Please try the following patch, thanks. Note: not even compile tested. > > ---8<--- > > diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c > index 026e3bca4a94..8ec20a64a3f8 100644 > --- a/net/sctp/sm_statefuns.c > +++ b/net/sctp/sm_statefuns.c > @@ -3422,6 +3422,12 @@ sctp_disposition_t sctp_sf_ootb(struct net *net, > return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, > commands); > > + /* Report violation if chunk len overflows */ > + ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length)); > + if (ch_end > skb_tail_pointer(skb)) > + return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, > + commands); > + > /* Now that we know we at least have a chunk header, > * do things that are type appropriate. > */ > @@ -3453,12 +3459,6 @@ sctp_disposition_t sctp_sf_ootb(struct net *net, > } > } > > - /* Report violation if chunk len overflows */ > - ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length)); > - if (ch_end > skb_tail_pointer(skb)) > - return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, > - commands); > - > ch = (sctp_chunkhdr_t *) ch_end; > } while (ch_end < skb_tail_pointer(skb)); >