lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 2 Nov 2021 16:52:28 +0100
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     Alexey Khoroshilov <khoroshilov@...ras.ru>
Cc:     linux-kernel@...r.kernel.org, stable@...r.kernel.org,
        Xin Long <lucien.xin@...il.com>,
        Marcelo Ricardo Leitner <marcelo.leitner@...il.com>,
        Jakub Kicinski <kuba@...nel.org>,
        Sasha Levin <sashal@...nel.org>, ldv-project@...uxtesting.org
Subject: Re: [PATCH 5.10 68/77] sctp: add vtag check in sctp_sf_violation

On Tue, Nov 02, 2021 at 05:12:16PM +0300, Alexey Khoroshilov wrote:
> Hello!
> 
> It seems the patch may lead to NULL pointer dereference.
> 
> 
> 1. sctp_sf_violation_chunk() calls sctp_sf_violation() with asoc arg
> equal to NULL.
> 
> static enum sctp_disposition sctp_sf_violation_chunk(
> ...
> {
> ...
>     if (!asoc)
>         return sctp_sf_violation(net, ep, asoc, type, arg, commands);
> ...
> 
> 2. Newly added code of sctp_sf_violation() calls to sctp_vtag_verify()
> with asoc arg equal to NULL.
> 
> enum sctp_disposition sctp_sf_violation(struct net *net,
> ...
> {
>     struct sctp_chunk *chunk = arg;
> 
>     if (!sctp_vtag_verify(chunk, asoc))
>         return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
> ...
> 
> 3. sctp_vtag_verify() dereferences asoc without any check.
> 
> /* Check VTAG of the packet matches the sender's own tag. */
> static inline int
> sctp_vtag_verify(const struct sctp_chunk *chunk,
> 		 const struct sctp_association *asoc)
> {
> 	/* RFC 2960 Sec 8.5 When receiving an SCTP packet, the endpoint
> 	 * MUST ensure that the value in the Verification Tag field of
> 	 * the received SCTP packet matches its own Tag. If the received
> 	 * Verification Tag value does not match the receiver's own
> 	 * tag value, the receiver shall silently discard the packet...
> 	 */
> 	if (ntohl(chunk->sctp_hdr->vtag) != asoc->c.my_vtag)
> 		return 0;
> 
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE tool.

These issues should all be the same with Linus's tree, so can you please
submit patches to the normal netdev developers and mailing list to
resolve the above issues?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ