lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 7 Feb 2017 09:09:39 -0200
From:   Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
To:     Dmitry Vyukov <dvyukov@...gle.com>
Cc:     Vladislav Yasevich <vyasevich@...il.com>,
        Neil Horman <nhorman@...driver.com>,
        David Miller <davem@...emloft.net>, linux-sctp@...r.kernel.org,
        netdev <netdev@...r.kernel.org>,
        Eric Dumazet <edumazet@...gle.com>,
        LKML <linux-kernel@...r.kernel.org>,
        syzkaller <syzkaller@...glegroups.com>,
        Xin Long <lucien.xin@...il.com>
Subject: Re: net/sctp: GPF in sctp_addr_id2transport

On Tue, Feb 07, 2017 at 10:42:38AM +0100, Dmitry Vyukov wrote:
> Hello,
> 
> The following program triggers GPF in sctp_addr_id2transport:
> 
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <string.h>
> #include <stdint.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <linux/in.h>
> #include <linux/sctp.h>
> 
> int main()
> {
>   int sock = socket(AF_INET6, SOCK_SEQPACKET, IPPROTO_SCTP);
>   struct sctp_paddrinfo info;
>   memset(&info, 0, sizeof(info));
>   int sz = sizeof(info);
>   getsockopt(sock, IPPROTO_SCTP, SCTP_GET_PEER_ADDR_INFO, &info, &sz);
>   return 0;
> }
> 
...
> RIP: 0010:sctp_addr_id2transport+0xb7/0x350 net/sctp/socket.c:242
...
>  sctp_getsockopt_peer_addr_info+0x211/0x620 net/sctp/socket.c:4628
>  sctp_getsockopt+0x2813/0x66a0 net/sctp/socket.c:6503
>  sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2685
>  SYSC_getsockopt net/socket.c:1819 [inline]
>  SyS_getsockopt+0x240/0x380 net/socket.c:1801
>  entry_SYSCALL_64_fastpath+0x1f/0xc2

Xin, I believe 6f29a1306131 ("sctp: sctp_addr_id2transport should verify
the addr before looking up assoc") introduced this issue.

As info is all 0'ed in this test,
+       struct sctp_af *af = sctp_get_af_specific(addr->ss_family);
will return NULL, and then boom at:
+       if (sctp_verify_addr(sk, laddr, af->sockaddr_len))
                                        ^^^^

  Marcelo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ