lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Jun 2015 09:29:02 -0700 (PDT) From: David Miller <davem@...emloft.net> To: alexander.sverdlin@...ia.com Cc: netdev@...r.kernel.org, nhorman@...driver.com, marcelo.leitner@...il.com, vyasevich@...il.com Subject: Re: [PATCH resend] sctp: Fix race between OOTB responce and route removal From: Alexander Sverdlin <alexander.sverdlin@...ia.com> Date: Mon, 29 Jun 2015 10:41:03 +0200 > There is NULL pointer dereference possible during statistics update if the route > used for OOTB responce is removed at unfortunate time. If the route exists when > we receive OOTB packet and we finally jump into sctp_packet_transmit() to send > ABORT, but in the meantime route is removed under our feet, we take "no_route" > path and try to update stats with IP_INC_STATS(sock_net(asoc->base.sk), ...). > > But sctp_ootb_pkt_new() used to prepare responce packet doesn't call > sctp_transport_set_owner() and therefore there is no asoc associated with this > packet. Probably temporary asoc just for OOTB responces is overkill, so just > introduce a check like in all other places in sctp_packet_transmit(), where > "asoc" is dereferenced. > > To reproduce this, one needs to > 0. ensure that sctp module is loaded (otherwise ABORT is not generated) > 1. remove default route on the machine > 2. while true; do > ip route del [interface-specific route] > ip route add [interface-specific route] > done > 3. send enough OOTB packets (i.e. HB REQs) from another host to trigger ABORT > responce > > On x86_64 the crash looks like this: ... > Signed-off-by: Alexander Sverdlin <alexander.sverdlin@...ia.com> > Acked-by: Neil Horman <nhorman@...driver.com> > Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@...il.com> > Acked-by: Vlad Yasevich <vyasevich@...il.com> Applied and queued up for -stable, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists