lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 17 Oct 2018 22:12:12 -0700 (PDT)
From:   David Miller <davem@...emloft.net>
To:     marcelo.leitner@...il.com
Cc:     netdev@...r.kernel.org, linux-sctp@...r.kernel.org,
        vyasevich@...il.com, nhorman@...driver.com, dvyukov@...gle.com
Subject: Re: [PATCH net] sctp: fix race on sctp_id2asoc

From: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
Date: Tue, 16 Oct 2018 15:18:17 -0300

> syzbot reported an use-after-free involving sctp_id2asoc.  Dmitry Vyukov
> helped to root cause it and it is because of reading the asoc after it
> was freed:
> 
>         CPU 1                       CPU 2
> (working on socket 1)            (working on socket 2)
> 	                         sctp_association_destroy
> sctp_id2asoc
>    spin lock
>      grab the asoc from idr
>    spin unlock
>                                    spin lock
> 				     remove asoc from idr
> 				   spin unlock
> 				   free(asoc)
>    if asoc->base.sk != sk ... [*]
> 
> This can only be hit if trying to fetch asocs from different sockets. As
> we have a single IDR for all asocs, in all SCTP sockets, their id is
> unique on the system. An application can try to send stuff on an id
> that matches on another socket, and the if in [*] will protect from such
> usage. But it didn't consider that as that asoc may belong to another
> socket, it may be freed in parallel (read: under another socket lock).
> 
> We fix it by moving the checks in [*] into the protected region. This
> fixes it because the asoc cannot be freed while the lock is held.
> 
> Reported-by: syzbot+c7dd55d7aec49d48e49a@...kaller.appspotmail.com
> Acked-by: Dmitry Vyukov <dvyukov@...gle.com>
> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>

Applied and queued up for -stable.

Powered by blists - more mailing lists