Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 27 Feb 2017 13:07:06 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: Linux: CVE-2017-6353: sctp: deny peeloff operation on asocs with
 threads sleeping on it

Hi

Via the CVE webform, MITRE has assigned CVE-2017-6353 for:

https://marc.info/?l=linux-netdev&m=148785309416337&w=2

>Subject:    [PATCH net] sctp: deny peeloff operation on asocs with threads sleeping on it
>From:       Marcelo Ricardo Leitner <marcelo.leitner () gmail ! com>
>Date:       2017-02-23 12:31:18
>
>commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
>attempted to avoid a BUG_ON call when the association being used for a
>sendmsg() is blocked waiting for more sndbuf and another thread did a
>peeloff operation on such asoc, moving it to another socket.
>
>As Ben Hutchings noticed, then in such case it would return without
>locking back the socket and would cause two unlocks in a row.
>
>Further analysis also revealed that it could allow a double free if the
>application managed to peeloff the asoc that is created during the
>sendmsg call, because then sctp_sendmsg() would try to free the asoc
>that was created only for that call.
>
>This patch takes another approach. It will deny the peeloff operation
>if there is a thread sleeping on the asoc, so this situation doesn't
>exist anymore. This avoids the issues described above and also honors
>the syscalls that are already being handled (it can be multiple sendmsg
>calls).
>
>Joint work with Xin Long.
>
>Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
>Cc: Alexander Popov <alex.popov@...ux.com>
>Cc: Ben Hutchings <ben@...adent.org.uk>
>Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
>Signed-off-by: Xin Long <lucien.xin@...il.com>
>---
>Hi, please consider this one for -stable too. Thanks
>
> net/sctp/socket.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
>diff --git a/net/sctp/socket.c b/net/sctp/socket.c
>index 1b5d669e30292a57ed57dd920d81be2a57f97b22..d04a8b66098c8a574642b026bff990ac64c21468 100644
>--- a/net/sctp/socket.c
>+++ b/net/sctp/socket.c
>@@ -4734,6 +4734,12 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
> 	if (!asoc)
> 		return -EINVAL;
> 
>+	/* If there is a thread waiting on more sndbuf space for
>+	 * sending on this asoc, it cannot be peeled.
>+	 */
>+	if (waitqueue_active(&asoc->wait))
>+		return -EBUSY;
>+
> 	/* An association cannot be branched off from an already peeled-off
> 	 * socket, nor is this supported for tcp style sockets.
> 	 */
>@@ -7426,8 +7432,6 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
> 		 */
> 		release_sock(sk);
> 		current_timeo = schedule_timeout(current_timeo);
>-		if (sk != asoc->base.sk)
>-			goto do_error;
> 		lock_sock(sk);
> 
> 		*timeo_p = current_timeo;
>-- 
>2.9.3

This was found while reviewing the fix of CVE-2017-5986 (2dcab5984841
("sctp: avoid BUG_ON on sctp_wait_for_sndbuf"))

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.