lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20150629.092902.445099737868203960.davem@davemloft.net>
Date:	Mon, 29 Jun 2015 09:29:02 -0700 (PDT)
From:	David Miller <davem@...emloft.net>
To:	alexander.sverdlin@...ia.com
Cc:	netdev@...r.kernel.org, nhorman@...driver.com,
	marcelo.leitner@...il.com, vyasevich@...il.com
Subject: Re: [PATCH resend] sctp: Fix race between OOTB responce and route
 removal

From: Alexander Sverdlin <alexander.sverdlin@...ia.com>
Date: Mon, 29 Jun 2015 10:41:03 +0200

> There is NULL pointer dereference possible during statistics update if the route
> used for OOTB responce is removed at unfortunate time. If the route exists when
> we receive OOTB packet and we finally jump into sctp_packet_transmit() to send
> ABORT, but in the meantime route is removed under our feet, we take "no_route"
> path and try to update stats with IP_INC_STATS(sock_net(asoc->base.sk), ...).
> 
> But sctp_ootb_pkt_new() used to prepare responce packet doesn't call
> sctp_transport_set_owner() and therefore there is no asoc associated with this
> packet. Probably temporary asoc just for OOTB responces is overkill, so just
> introduce a check like in all other places in sctp_packet_transmit(), where
> "asoc" is dereferenced.
> 
> To reproduce this, one needs to
> 0. ensure that sctp module is loaded (otherwise ABORT is not generated)
> 1. remove default route on the machine
> 2. while true; do
>      ip route del [interface-specific route]
>      ip route add [interface-specific route]
>    done
> 3. send enough OOTB packets (i.e. HB REQs) from another host to trigger ABORT
>    responce
> 
> On x86_64 the crash looks like this:
 ...
> Signed-off-by: Alexander Sverdlin <alexander.sverdlin@...ia.com>
> Acked-by: Neil Horman <nhorman@...driver.com>
> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
> Acked-by: Vlad Yasevich <vyasevich@...il.com>

Applied and queued up for -stable, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ