* [PATCH] sctp: socket.c validate sprstat_policy
@ 2018-10-27 20:20 Tomas Bortoli
2018-10-27 20:43 ` Tomas Bortoli
0 siblings, 1 reply; 6+ messages in thread
From: Tomas Bortoli @ 2018-10-27 20:20 UTC (permalink / raw)
To: vyasevich, nhorman, marcelo.leitner
Cc: davem, linux-sctp, netdev, linux-kernel, Tomas Bortoli
It is possible to perform out-of-bound reads on
sctp_getsockopt_pr_streamstatus() and on
sctp_getsockopt_pr_assocstatus() by passing from userspace a
sprstat_policy that overflows the abandoned_sent/abandoned_unsent
fixed length arrays. The over-read data are directly copied/leaked
to userspace.
Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+5da0d0a72a9e7d791748@syzkaller.appspotmail.com
---
v2 - added forgot ||
net/sctp/socket.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index fc0386e8ff23..5290b8bd40c8 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -7083,7 +7083,8 @@ static int sctp_getsockopt_pr_assocstatus(struct sock *sk, int len,
}
policy = params.sprstat_policy;
- if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)))
+ if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) ||
+ __SCTP_PR_INDEX(policy) > SCTP_PR_INDEX(MAX))
goto out;
asoc = sctp_id2assoc(sk, params.sprstat_assoc_id);
@@ -7142,7 +7143,8 @@ static int sctp_getsockopt_pr_streamstatus(struct sock *sk, int len,
}
policy = params.sprstat_policy;
- if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)))
+ if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) ||
+ __SCTP_PR_INDEX(policy) > SCTP_PR_INDEX(MAX))
goto out;
asoc = sctp_id2assoc(sk, params.sprstat_assoc_id);
--
2.11.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] sctp: socket.c validate sprstat_policy
2018-10-27 20:20 [PATCH] sctp: socket.c validate sprstat_policy Tomas Bortoli
@ 2018-10-27 20:43 ` Tomas Bortoli
2018-10-28 0:03 ` David Miller
0 siblings, 1 reply; 6+ messages in thread
From: Tomas Bortoli @ 2018-10-27 20:43 UTC (permalink / raw)
To: vyasevich, nhorman, marcelo.leitner
Cc: davem, linux-sctp, netdev, linux-kernel
On 10/27/18 10:20 PM, Tomas Bortoli wrote:
> It is possible to perform out-of-bound reads on
> sctp_getsockopt_pr_streamstatus() and on
> sctp_getsockopt_pr_assocstatus() by passing from userspace a
> sprstat_policy that overflows the abandoned_sent/abandoned_unsent
> fixed length arrays. The over-read data are directly copied/leaked
> to userspace.
>
> Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
> Reported-by: syzbot+5da0d0a72a9e7d791748@syzkaller.appspotmail.com
> ---
> v2 - added forgot ||
>
> net/sctp/socket.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index fc0386e8ff23..5290b8bd40c8 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -7083,7 +7083,8 @@ static int sctp_getsockopt_pr_assocstatus(struct sock *sk, int len,
> }
>
> policy = params.sprstat_policy;
> - if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)))
> + if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) ||
> + __SCTP_PR_INDEX(policy) > SCTP_PR_INDEX(MAX))
> goto out;
>
> asoc = sctp_id2assoc(sk, params.sprstat_assoc_id);
> @@ -7142,7 +7143,8 @@ static int sctp_getsockopt_pr_streamstatus(struct sock *sk, int len,
> }
>
> policy = params.sprstat_policy;
> - if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)))
> + if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) ||
> + __SCTP_PR_INDEX(policy) > SCTP_PR_INDEX(MAX))
> goto out;
>
> asoc = sctp_id2assoc(sk, params.sprstat_assoc_id);
>
I just realized we also have to check for less than 0 indexes..
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] sctp: socket.c validate sprstat_policy
2018-10-27 20:43 ` Tomas Bortoli
@ 2018-10-28 0:03 ` David Miller
0 siblings, 0 replies; 6+ messages in thread
From: David Miller @ 2018-10-28 0:03 UTC (permalink / raw)
To: tomasbortoli
Cc: vyasevich, nhorman, marcelo.leitner, linux-sctp, netdev, linux-kernel
From: Tomas Bortoli <tomasbortoli@gmail.com>
Date: Sat, 27 Oct 2018 22:43:43 +0200
> I just realized we also have to check for less than 0 indexes..
How about the fact that your original submission didn't even compile?
I hope you realized that first.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] sctp: socket.c validate sprstat_policy
2018-10-27 19:58 Tomas Bortoli
2018-10-27 20:50 ` kbuild test robot
@ 2018-10-27 20:53 ` kbuild test robot
1 sibling, 0 replies; 6+ messages in thread
From: kbuild test robot @ 2018-10-27 20:53 UTC (permalink / raw)
To: Tomas Bortoli
Cc: kbuild-all, vyasevich, nhorman, marcelo.leitner, davem,
linux-sctp, netdev, linux-kernel, syzkaller, Tomas Bortoli
[-- Attachment #1: Type: text/plain, Size: 2809 bytes --]
Hi Tomas,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on net-next/master]
[also build test ERROR on v4.19 next-20181019]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Tomas-Bortoli/sctp-socket-c-validate-sprstat_policy/20181028-040051
config: i386-randconfig-x077-201843 (attached as .config)
compiler: gcc-7 (Debian 7.3.0-1) 7.3.0
reproduce:
# save the attached .config to linux build tree
make ARCH=i386
All errors (new ones prefixed by >>):
net//sctp/socket.c: In function 'sctp_getsockopt_pr_assocstatus':
>> net//sctp/socket.c:7086:25: error: called object is not a function or function pointer
if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))
~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
vim +7086 net//sctp/socket.c
7066
7067 static int sctp_getsockopt_pr_assocstatus(struct sock *sk, int len,
7068 char __user *optval,
7069 int __user *optlen)
7070 {
7071 struct sctp_prstatus params;
7072 struct sctp_association *asoc;
7073 int policy;
7074 int retval = -EINVAL;
7075
7076 if (len < sizeof(params))
7077 goto out;
7078
7079 len = sizeof(params);
7080 if (copy_from_user(¶ms, optval, len)) {
7081 retval = -EFAULT;
7082 goto out;
7083 }
7084
7085 policy = params.sprstat_policy;
> 7086 if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))
7087 __SCTP_PR_INDEX(policy) > SCTP_PR_INDEX(MAX))
7088 goto out;
7089
7090 asoc = sctp_id2assoc(sk, params.sprstat_assoc_id);
7091 if (!asoc)
7092 goto out;
7093
7094 if (policy & SCTP_PR_SCTP_ALL) {
7095 params.sprstat_abandoned_unsent = 0;
7096 params.sprstat_abandoned_sent = 0;
7097 for (policy = 0; policy <= SCTP_PR_INDEX(MAX); policy++) {
7098 params.sprstat_abandoned_unsent +=
7099 asoc->abandoned_unsent[policy];
7100 params.sprstat_abandoned_sent +=
7101 asoc->abandoned_sent[policy];
7102 }
7103 } else {
7104 params.sprstat_abandoned_unsent =
7105 asoc->abandoned_unsent[__SCTP_PR_INDEX(policy)];
7106 params.sprstat_abandoned_sent =
7107 asoc->abandoned_sent[__SCTP_PR_INDEX(policy)];
7108 }
7109
7110 if (put_user(len, optlen)) {
7111 retval = -EFAULT;
7112 goto out;
7113 }
7114
7115 if (copy_to_user(optval, ¶ms, len)) {
7116 retval = -EFAULT;
7117 goto out;
7118 }
7119
7120 retval = 0;
7121
7122 out:
7123 return retval;
7124 }
7125
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 29507 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] sctp: socket.c validate sprstat_policy
2018-10-27 19:58 Tomas Bortoli
@ 2018-10-27 20:50 ` kbuild test robot
2018-10-27 20:53 ` kbuild test robot
1 sibling, 0 replies; 6+ messages in thread
From: kbuild test robot @ 2018-10-27 20:50 UTC (permalink / raw)
To: Tomas Bortoli
Cc: kbuild-all, vyasevich, nhorman, marcelo.leitner, davem,
linux-sctp, netdev, linux-kernel, syzkaller, Tomas Bortoli
[-- Attachment #1: Type: text/plain, Size: 4456 bytes --]
Hi Tomas,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on net-next/master]
[also build test WARNING on v4.19 next-20181019]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Tomas-Bortoli/sctp-socket-c-validate-sprstat_policy/20181028-040051
config: i386-randconfig-x075-201843 (attached as .config)
compiler: gcc-7 (Debian 7.3.0-1) 7.3.0
reproduce:
# save the attached .config to linux build tree
make ARCH=i386
All warnings (new ones prefixed by >>):
In file included from arch/x86/include/asm/atomic.h:5:0,
from include/linux/atomic.h:7,
from include/linux/crypto.h:20,
from include/crypto/hash.h:16,
from net/sctp/socket.c:55:
net/sctp/socket.c: In function 'sctp_getsockopt_pr_assocstatus':
net/sctp/socket.c:7086:25: error: called object is not a function or function pointer
if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))
~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/compiler.h:58:30: note: in definition of macro '__trace_if'
if (__builtin_constant_p(!!(cond)) ? !!(cond) : \
^~~~
>> net/sctp/socket.c:7086:2: note: in expansion of macro 'if'
if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))
^~
net/sctp/socket.c:7086:25: error: called object is not a function or function pointer
if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))
~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/compiler.h:58:42: note: in definition of macro '__trace_if'
if (__builtin_constant_p(!!(cond)) ? !!(cond) : \
^~~~
>> net/sctp/socket.c:7086:2: note: in expansion of macro 'if'
if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))
^~
net/sctp/socket.c:7086:25: error: called object is not a function or function pointer
if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))
~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/compiler.h:69:16: note: in definition of macro '__trace_if'
______r = !!(cond); \
^~~~
>> net/sctp/socket.c:7086:2: note: in expansion of macro 'if'
if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))
^~
vim +/if +7086 net/sctp/socket.c
7066
7067 static int sctp_getsockopt_pr_assocstatus(struct sock *sk, int len,
7068 char __user *optval,
7069 int __user *optlen)
7070 {
7071 struct sctp_prstatus params;
7072 struct sctp_association *asoc;
7073 int policy;
7074 int retval = -EINVAL;
7075
7076 if (len < sizeof(params))
7077 goto out;
7078
7079 len = sizeof(params);
7080 if (copy_from_user(¶ms, optval, len)) {
7081 retval = -EFAULT;
7082 goto out;
7083 }
7084
7085 policy = params.sprstat_policy;
> 7086 if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))
7087 __SCTP_PR_INDEX(policy) > SCTP_PR_INDEX(MAX))
7088 goto out;
7089
7090 asoc = sctp_id2assoc(sk, params.sprstat_assoc_id);
7091 if (!asoc)
7092 goto out;
7093
7094 if (policy & SCTP_PR_SCTP_ALL) {
7095 params.sprstat_abandoned_unsent = 0;
7096 params.sprstat_abandoned_sent = 0;
7097 for (policy = 0; policy <= SCTP_PR_INDEX(MAX); policy++) {
7098 params.sprstat_abandoned_unsent +=
7099 asoc->abandoned_unsent[policy];
7100 params.sprstat_abandoned_sent +=
7101 asoc->abandoned_sent[policy];
7102 }
7103 } else {
7104 params.sprstat_abandoned_unsent =
7105 asoc->abandoned_unsent[__SCTP_PR_INDEX(policy)];
7106 params.sprstat_abandoned_sent =
7107 asoc->abandoned_sent[__SCTP_PR_INDEX(policy)];
7108 }
7109
7110 if (put_user(len, optlen)) {
7111 retval = -EFAULT;
7112 goto out;
7113 }
7114
7115 if (copy_to_user(optval, ¶ms, len)) {
7116 retval = -EFAULT;
7117 goto out;
7118 }
7119
7120 retval = 0;
7121
7122 out:
7123 return retval;
7124 }
7125
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 33915 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] sctp: socket.c validate sprstat_policy
@ 2018-10-27 19:58 Tomas Bortoli
2018-10-27 20:50 ` kbuild test robot
2018-10-27 20:53 ` kbuild test robot
0 siblings, 2 replies; 6+ messages in thread
From: Tomas Bortoli @ 2018-10-27 19:58 UTC (permalink / raw)
To: vyasevich, nhorman, marcelo.leitner
Cc: davem, linux-sctp, netdev, linux-kernel, syzkaller, Tomas Bortoli
It is possible to perform out-of-bound reads on
sctp_getsockopt_pr_streamstatus() and on
sctp_getsockopt_pr_assocstatus() by passing from userspace a
sprstat_policy that overflows the abandoned_sent/abandoned_unsent
fixed length arrays. The over-read data are directly copied/leaked
to userspace.
Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+5da0d0a72a9e7d791748@syzkaller.appspotmail.com
---
net/sctp/socket.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index fc0386e8ff23..5290b8bd40c8 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -7083,7 +7083,8 @@ static int sctp_getsockopt_pr_assocstatus(struct sock *sk, int len,
}
policy = params.sprstat_policy;
- if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)))
+ if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))
+ __SCTP_PR_INDEX(policy) > SCTP_PR_INDEX(MAX))
goto out;
asoc = sctp_id2assoc(sk, params.sprstat_assoc_id);
@@ -7142,7 +7143,8 @@ static int sctp_getsockopt_pr_streamstatus(struct sock *sk, int len,
}
policy = params.sprstat_policy;
- if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)))
+ if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) ||
+ __SCTP_PR_INDEX(policy) > SCTP_PR_INDEX(MAX))
goto out;
asoc = sctp_id2assoc(sk, params.sprstat_assoc_id);
--
2.11.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-10-28 0:03 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-27 20:20 [PATCH] sctp: socket.c validate sprstat_policy Tomas Bortoli
2018-10-27 20:43 ` Tomas Bortoli
2018-10-28 0:03 ` David Miller
-- strict thread matches above, loose matches on Subject: below --
2018-10-27 19:58 Tomas Bortoli
2018-10-27 20:50 ` kbuild test robot
2018-10-27 20:53 ` kbuild test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).