lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20191015143528.GJ3499@localhost.localdomain>
Date:   Tue, 15 Oct 2019 11:35:28 -0300
From:   Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
To:     Xin Long <lucien.xin@...il.com>
Cc:     network dev <netdev@...r.kernel.org>, linux-sctp@...r.kernel.org,
        davem@...emloft.net, Neil Horman <nhorman@...driver.com>
Subject: Re: [PATCH net] sctp: change sctp_prot .no_autobind with true

On Tue, Oct 15, 2019 at 03:24:38PM +0800, Xin Long wrote:
> syzbot reported a memory leak:
> 
>   BUG: memory leak, unreferenced object 0xffff888120b3d380 (size 64):
>   backtrace:
> 
>     [...] slab_alloc mm/slab.c:3319 [inline]
>     [...] kmem_cache_alloc+0x13f/0x2c0 mm/slab.c:3483
>     [...] sctp_bucket_create net/sctp/socket.c:8523 [inline]
>     [...] sctp_get_port_local+0x189/0x5a0 net/sctp/socket.c:8270
>     [...] sctp_do_bind+0xcc/0x200 net/sctp/socket.c:402
>     [...] sctp_bindx_add+0x4b/0xd0 net/sctp/socket.c:497
>     [...] sctp_setsockopt_bindx+0x156/0x1b0 net/sctp/socket.c:1022
>     [...] sctp_setsockopt net/sctp/socket.c:4641 [inline]
>     [...] sctp_setsockopt+0xaea/0x2dc0 net/sctp/socket.c:4611
>     [...] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3147
>     [...] __sys_setsockopt+0x10f/0x220 net/socket.c:2084
>     [...] __do_sys_setsockopt net/socket.c:2100 [inline]
> 
> It was caused by when sending msgs without binding a port, in the path:
> inet_sendmsg() -> inet_send_prepare() -> inet_autobind() ->
> .get_port/sctp_get_port(), sp->bind_hash will be set while bp->port is
> not. Later when binding another port by sctp_setsockopt_bindx(), a new
> bucket will be created as bp->port is not set.
> 
> sctp's autobind is supposed to call sctp_autobind() where it does all
> things including setting bp->port. Since sctp_autobind() is called in
> sctp_sendmsg() if the sk is not yet bound, it should have skipped the
> auto bind.
> 
> THis patch is to avoid calling inet_autobind() in inet_send_prepare()
> by changing sctp_prot .no_autobind with true, also remove the unused
> .get_port.
> 
> Reported-by: syzbot+d44f7bbebdea49dbc84a@...kaller.appspotmail.com
> Signed-off-by: Xin Long <lucien.xin@...il.com>

Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ