lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20160908192751.GE16608@hmsreliant.think-freely.org>
Date:   Thu, 8 Sep 2016 15:27:51 -0400
From:   Neil Horman <nhorman@...driver.com>
To:     Xin Long <lucien.xin@...il.com>
Cc:     network dev <netdev@...r.kernel.org>, linux-sctp@...r.kernel.org,
        davem@...emloft.net,
        Marcelo Ricardo Leitner <marcelo.leitner@...il.com>,
        Vlad Yasevich <vyasevich@...il.com>, daniel@...earbox.net
Subject: Re: [PATCH net] sctp: hold the transport before using it in
 sctp_hash_cmp

On Thu, Sep 08, 2016 at 05:49:04PM +0800, Xin Long wrote:
> Now sctp uses the transport without holding it in sctp_hash_cmp,
> it can cause a use-after-free panic. As after it get transport from
> hashtable, another CPU may free it, then the members it accesses
> may be unavailable memory.
> 
> This patch is to use sctp_transport_hold, in which it checks the
> refcnt first, holds it if it's not 0.
> 
> Signed-off-by: Xin Long <lucien.xin@...il.com>
> ---
>  net/sctp/input.c | 27 +++++++++++++++++----------
>  1 file changed, 17 insertions(+), 10 deletions(-)
> 
> diff --git a/net/sctp/input.c b/net/sctp/input.c
> index 69444d3..1555fb8 100644
> --- a/net/sctp/input.c
> +++ b/net/sctp/input.c
> @@ -796,27 +796,34 @@ struct sctp_hash_cmp_arg {
>  static inline int sctp_hash_cmp(struct rhashtable_compare_arg *arg,
>  				const void *ptr)
>  {
> +	struct sctp_transport *t = (struct sctp_transport *)ptr;
>  	const struct sctp_hash_cmp_arg *x = arg->key;
> -	const struct sctp_transport *t = ptr;
> -	struct sctp_association *asoc = t->asoc;
> -	const struct net *net = x->net;
> +	struct sctp_association *asoc;
> +	int err = 1;
>  
>  	if (!sctp_cmp_addr_exact(&t->ipaddr, x->paddr))
> -		return 1;
> -	if (!net_eq(sock_net(asoc->base.sk), net))
> -		return 1;
> +		return err;
> +	if (!sctp_transport_hold(t))
> +		return err;
> +
> +	asoc = t->asoc;
> +	if (!net_eq(sock_net(asoc->base.sk), x->net))
> +		goto out;
>  	if (x->ep) {
>  		if (x->ep != asoc->ep)
> -			return 1;
> +			goto out;
>  	} else {
>  		if (x->laddr->v4.sin_port != htons(asoc->base.bind_addr.port))
> -			return 1;
> +			goto out;
>  		if (!sctp_bind_addr_match(&asoc->base.bind_addr,
>  					  x->laddr, sctp_sk(asoc->base.sk)))
> -			return 1;
> +			goto out;
>  	}
>  
> -	return 0;
> +	err = 0;
> +out:
> +	sctp_transport_put(t);
> +	return err;
>  }
>  
>  static inline u32 sctp_hash_obj(const void *data, u32 len, u32 seed)
> -- 
> 2.1.0
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
What path does this occur in?  __sctp_lookup_association takes a hold on the
asoc, and that function is protected by the rcu_read_lock, so I'm not sure how
you get into a situation in which the asoc can be deleted while the lookup is
occuring.

Neil

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ