| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Jan 2023 18:14:16 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
Cc: netdev@...r.kernel.org, linux-sctp@...r.kernel.org,
Xin Long <lucien.xin@...il.com>,
Pietro Borrello <borrello@...g.uniroma1.it>
Subject: Re: [PATCH net] sctp: fail if no bound addresses can be used for a
given scope
On Mon, 23 Jan 2023 14:59:33 -0300 Marcelo Ricardo Leitner wrote:
> Currently, if you bind the socket to something like:
> servaddr.sin6_family = AF_INET6;
> servaddr.sin6_port = htons(0);
> servaddr.sin6_scope_id = 0;
> inet_pton(AF_INET6, "::1", &servaddr.sin6_addr);
>
> And then request a connect to:
> connaddr.sin6_family = AF_INET6;
> connaddr.sin6_port = htons(20000);
> connaddr.sin6_scope_id = if_nametoindex("lo");
> inet_pton(AF_INET6, "fe88::1", &connaddr.sin6_addr);
>
> What the stack does is:
> - bind the socket
> - create a new asoc
> - to handle the connect
> - copy the addresses that can be used for the given scope
> - try to connect
>
> But the copy returns 0 addresses, and the effect is that it ends up
> trying to connect as if the socket wasn't bound, which is not the
> desired behavior. This unexpected behavior also allows KASLR leaks
> through SCTP diag interface.
>
> The fix here then is, if when trying to copy the addresses that can
> be used for the scope used in connect() it returns 0 addresses, bail
> out. This is what TCP does with a similar reproducer.
>
> Reported-by: Pietro Borrello <borrello@...g.uniroma1.it>
> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
Fixes tag?
Powered by blists - more mailing lists