lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <YYjKd/UwdwrbnrNd@kroah.com>
Date:   Mon, 8 Nov 2021 07:57:59 +0100
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     Alexey Khoroshilov <khoroshilov@...ras.ru>
Cc:     linux-kernel@...r.kernel.org, stable@...r.kernel.org,
        Xin Long <lucien.xin@...il.com>,
        Marcelo Ricardo Leitner <marcelo.leitner@...il.com>,
        Jakub Kicinski <kuba@...nel.org>,
        Sasha Levin <sashal@...nel.org>, ldv-project@...uxtesting.org
Subject: Re: [PATCH 5.10 68/77] sctp: add vtag check in sctp_sf_violation

On Tue, Nov 02, 2021 at 04:52:28PM +0100, Greg Kroah-Hartman wrote:
> On Tue, Nov 02, 2021 at 05:12:16PM +0300, Alexey Khoroshilov wrote:
> > Hello!
> > 
> > It seems the patch may lead to NULL pointer dereference.
> > 
> > 
> > 1. sctp_sf_violation_chunk() calls sctp_sf_violation() with asoc arg
> > equal to NULL.
> > 
> > static enum sctp_disposition sctp_sf_violation_chunk(
> > ...
> > {
> > ...
> >     if (!asoc)
> >         return sctp_sf_violation(net, ep, asoc, type, arg, commands);
> > ...
> > 
> > 2. Newly added code of sctp_sf_violation() calls to sctp_vtag_verify()
> > with asoc arg equal to NULL.
> > 
> > enum sctp_disposition sctp_sf_violation(struct net *net,
> > ...
> > {
> >     struct sctp_chunk *chunk = arg;
> > 
> >     if (!sctp_vtag_verify(chunk, asoc))
> >         return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
> > ...
> > 
> > 3. sctp_vtag_verify() dereferences asoc without any check.
> > 
> > /* Check VTAG of the packet matches the sender's own tag. */
> > static inline int
> > sctp_vtag_verify(const struct sctp_chunk *chunk,
> > 		 const struct sctp_association *asoc)
> > {
> > 	/* RFC 2960 Sec 8.5 When receiving an SCTP packet, the endpoint
> > 	 * MUST ensure that the value in the Verification Tag field of
> > 	 * the received SCTP packet matches its own Tag. If the received
> > 	 * Verification Tag value does not match the receiver's own
> > 	 * tag value, the receiver shall silently discard the packet...
> > 	 */
> > 	if (ntohl(chunk->sctp_hdr->vtag) != asoc->c.my_vtag)
> > 		return 0;
> > 
> > 
> > Found by Linux Verification Center (linuxtesting.org) with SVACE tool.
> 
> These issues should all be the same with Linus's tree, so can you please
> submit patches to the normal netdev developers and mailing list to
> resolve the above issues?

Given a lack of response, I am going to assume that these are not real
issues.  If you think they are, please submit patches to the network
developers to resolve them.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ