| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 Feb 2017 19:56:14 +0800
From: Xin Long <lucien.xin@...il.com>
To: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
Cc: Dmitry Vyukov <dvyukov@...gle.com>,
Vladislav Yasevich <vyasevich@...il.com>,
Neil Horman <nhorman@...driver.com>,
David Miller <davem@...emloft.net>, linux-sctp@...r.kernel.org,
netdev <netdev@...r.kernel.org>,
Eric Dumazet <edumazet@...gle.com>,
LKML <linux-kernel@...r.kernel.org>,
syzkaller <syzkaller@...glegroups.com>
Subject: Re: net/sctp: GPF in sctp_addr_id2transport
On Tue, Feb 7, 2017 at 7:09 PM, Marcelo Ricardo Leitner
<marcelo.leitner@...il.com> wrote:
> On Tue, Feb 07, 2017 at 10:42:38AM +0100, Dmitry Vyukov wrote:
>> Hello,
>>
>> The following program triggers GPF in sctp_addr_id2transport:
>>
>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>> #include <string.h>
>> #include <stdint.h>
>> #include <sys/types.h>
>> #include <sys/socket.h>
>> #include <linux/in.h>
>> #include <linux/sctp.h>
>>
>> int main()
>> {
>> int sock = socket(AF_INET6, SOCK_SEQPACKET, IPPROTO_SCTP);
>> struct sctp_paddrinfo info;
>> memset(&info, 0, sizeof(info));
>> int sz = sizeof(info);
>> getsockopt(sock, IPPROTO_SCTP, SCTP_GET_PEER_ADDR_INFO, &info, &sz);
>> return 0;
>> }
>>
> ...
>> RIP: 0010:sctp_addr_id2transport+0xb7/0x350 net/sctp/socket.c:242
> ...
>> sctp_getsockopt_peer_addr_info+0x211/0x620 net/sctp/socket.c:4628
>> sctp_getsockopt+0x2813/0x66a0 net/sctp/socket.c:6503
>> sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2685
>> SYSC_getsockopt net/socket.c:1819 [inline]
>> SyS_getsockopt+0x240/0x380 net/socket.c:1801
>> entry_SYSCALL_64_fastpath+0x1f/0xc2
>
> Xin, I believe 6f29a1306131 ("sctp: sctp_addr_id2transport should verify
> the addr before looking up assoc") introduced this issue.
>
> As info is all 0'ed in this test,
> + struct sctp_af *af = sctp_get_af_specific(addr->ss_family);
> will return NULL, and then boom at:
> + if (sctp_verify_addr(sk, laddr, af->sockaddr_len))
> ^^^^
>
The issue is caused by users passed a address with family = 0,
and af is NULL there.
I already have a patch for this, will post it soon. Thanks.
> Marcelo
>
Powered by blists - more mailing lists