From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1758027AbdKPESZ (ORCPT <rfc822;w@1wt.eu>);
        Wed, 15 Nov 2017 23:18:25 -0500
Received: from out02.mta.xmission.com ([166.70.13.232]:39972 "EHLO
        out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753218AbdKPESR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 15 Nov 2017 23:18:17 -0500
From: ebiederm@xmission.com (Eric W. Biederman)
To: "David S. Miller" <davem@davemloft.net>
Cc: Kees Cook <keescook@chromium.org>,
        Eric Dumazet <eric.dumazet@gmail.com>,
        Kostya Serebryany <kcc@google.com>,
        Andrey Konovalov <andreyknvl@google.com>,
        Eric Dumazet <edumazet@google.com>,
        Network Development <netdev@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>, security@kernel.org,
        Alexander Potapenko <glider@google.com>, linux-sctp@vger.kernel.org,
        Neil Horman <nhorman@tuxdriver.com>,
        Vlad Yasevich <vyasevich@gmail.com>
References: <20171031161445.GA140874@beast>
        <1509471094.3828.26.camel@edumazet-glaptop3.roam.corp.google.com>
        <871slikvvf.fsf@xmission.com>
        <CAGXu5jJAepjBcLki0G-fa4JNH93szZAoWWFORvo3zxPWDQLjGQ@mail.gmail.com>
        <CAG_fn=UUB6ep_hdiQq7CyGUnc93R-13mGZERyM-yi3b11hLRdQ@mail.gmail.com>
Date: Wed, 15 Nov 2017 22:17:48 -0600
In-Reply-To: <CAG_fn=UUB6ep_hdiQq7CyGUnc93R-13mGZERyM-yi3b11hLRdQ@mail.gmail.com>
        (Alexander Potapenko's message of "Wed, 15 Nov 2017 09:22:39 +0100")
Message-ID: <871skyzwk3.fsf_-_@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-SPF: eid=1eFBcv-0000zs-NV;;;mid=<871skyzwk3.fsf_-_@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=75.170.119.32;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX1+gehSNRsNQgooP0/PmJncj24UuvY9stvU=
X-SA-Exim-Connect-IP: 75.170.119.32
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        *  0.7 XMSubLong Long Subject
        *  0.5 XMGappySubj_01 Very gappy subject
        *  0.0 TVD_RCVD_IP Message was received from an IP address
        *  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
        *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
        *      [score: 0.5000]
        * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
        *      [sa06 1397; Body=1 Fuz1=1 Fuz2=1]
        *  0.0 T_TooManySym_01 4+ unique symbols in subject
X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: *;"David S. Miller" <davem@davemloft.net>
X-Spam-Relay-Country: 
X-Spam-Timing: total 5545 ms - load_scoreonly_sql: 0.06 (0.0%),
        signal_user_changed: 3.2 (0.1%), b_tie_ro: 2.2 (0.0%), parse: 1.12 (0.0%),
        extract_message_metadata: 13 (0.2%), get_uri_detail_list: 2.1 (0.0%),
        tests_pri_-1000: 6 (0.1%), tests_pri_-950: 1.21 (0.0%), tests_pri_-900: 1.01
        (0.0%), tests_pri_-400: 23 (0.4%), check_bayes: 22 (0.4%), b_tokenize: 8
        (0.1%), b_tok_get_all: 7 (0.1%), b_comp_prob: 2.2 (0.0%), b_tok_touch_all:
        3.4 (0.1%), b_finish: 0.67 (0.0%), tests_pri_0: 1260 (22.7%),
        check_dkim_signature: 0.62 (0.0%), check_dkim_adsp: 2.9 (0.1%),
        tests_pri_500: 4233 (76.3%), poll_dns_idle: 4224 (76.2%), rewrite_mail: 0.00
        (0.0%)
Subject: [PATCH net] net/sctp: Always set scope_id in sctp_inet6_skb_msgname
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


Alexandar Potapenko while testing the kernel with KMSAN and syzkaller
discovered that in some configurations sctp would leak 4 bytes of
kernel stack.

Working with his reproducer I discovered that those 4 bytes that
are leaked is the scope id of an ipv6 address returned by recvmsg.

With a little code inspection and a shrewd guess I discovered that
sctp_inet6_skb_msgname only initializes the scope_id field for link
local ipv6 addresses to the interface index the link local address
pertains to instead of initializing the scope_id field for all ipv6
addresses.

That is almost reasonable as scope_id's are meaniningful only for link
local addresses.  Set the scope_id in all other cases to 0 which is
not a valid interface index to make it clear there is nothing useful
in the scope_id field.

There should be no danger of breaking userspace as the stack leak
guaranteed that previously meaningless random data was being returned.

Cc: stable@vger.kernel.org
Fixes: 372f525b495c ("SCTP:  Resync with LKSCTP tree.")
History-tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Reported-by: Alexander Potapenko <glider@google.com>
Tested-by: Alexander Potapenko <glider@google.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
---
 net/sctp/ipv6.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index a6dfa86c0201..3b18085e3b10 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -807,9 +807,10 @@ static void sctp_inet6_skb_msgname(struct sk_buff *skb, char *msgname,
 		addr->v6.sin6_flowinfo = 0;
 		addr->v6.sin6_port = sh->source;
 		addr->v6.sin6_addr = ipv6_hdr(skb)->saddr;
-		if (ipv6_addr_type(&addr->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) {
+		if (ipv6_addr_type(&addr->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL)
 			addr->v6.sin6_scope_id = sctp_v6_skb_iif(skb);
-		}
+		else
+			addr->v6.sin6_scope_id = 0;
 	}
 
 	*addr_len = sctp_v6_addr_to_user(sctp_sk(skb->sk), addr);
-- 
2.14.1