lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CADvbK_fhGKBXyjSqo8shKVKi11SPoVQ2z1+Vde0ranhpsoy0zQ@mail.gmail.com>
Date: Wed, 14 Feb 2024 14:14:21 -0500
From: Xin Long <lucien.xin@...il.com>
To: Dmitry Antipov <dmantipov@...dex.ru>
Cc: Jakub Kicinski <kuba@...nel.org>, Marcelo Ricardo Leitner <marcelo.leitner@...il.com>, 
	linux-sctp@...r.kernel.org, netdev@...r.kernel.org, 
	lvc-project@...uxtesting.org, 
	syzbot+8bb053b5d63595ab47db@...kaller.appspotmail.com
Subject: Re: [PATCH] [v3] net: sctp: fix skb leak in sctp_inq_free()

On Wed, Feb 14, 2024 at 3:23 AM Dmitry Antipov <dmantipov@...dex.ru> wrote:
>
> In case of GSO, 'chunk->skb' pointer may point to an entry from
> fraglist created in 'sctp_packet_gso_append()'. To avoid freeing
> random fraglist entry (and so undefined behavior and/or memory
> leak), introduce 'sctp_inq_chunk_free()' helper to ensure that
> 'chunk->skb' is set to 'chunk->head_skb' (i.e. fraglist head)
> before calling 'sctp_chunk_free()', and use the aforementioned
> helper in 'sctp_inq_pop()' as well.
>
> Reported-by: syzbot+8bb053b5d63595ab47db@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?id=0d8351bbe54fd04a492c2daab0164138db008042
> Fixes: 90017accff61 ("sctp: Add GSO support")
> Suggested-by: Xin Long <lucien.xin@...il.com>
> Signed-off-by: Dmitry Antipov <dmantipov@...dex.ru>
Acked-by: Xin Long <lucien.xin@...il.com>
> ---
> v3: https://lore.kernel.org/netdev/CADvbK_cjg7kd7uFWxPBpwMAxwsuCki791zQ7D01y+vk0R5wTSQ@mail.gmail.com
>     - rename helper to 'sctp_inq_chunk_free()' (Xin Long)
> v2: https://lore.kernel.org/netdev/20240209134703.63a9167b@kernel.org
>     - factor the fix out to helper function (Jakub Kicinski)
> ---
>  net/sctp/inqueue.c | 14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
> index 7182c5a450fb..5c1652181805 100644
> --- a/net/sctp/inqueue.c
> +++ b/net/sctp/inqueue.c
> @@ -38,6 +38,14 @@ void sctp_inq_init(struct sctp_inq *queue)
>         INIT_WORK(&queue->immediate, NULL);
>  }
>
> +/* Properly release the chunk which is being worked on. */
> +static inline void sctp_inq_chunk_free(struct sctp_chunk *chunk)
> +{
> +       if (chunk->head_skb)
> +               chunk->skb = chunk->head_skb;
> +       sctp_chunk_free(chunk);
> +}
> +
>  /* Release the memory associated with an SCTP inqueue.  */
>  void sctp_inq_free(struct sctp_inq *queue)
>  {
> @@ -53,7 +61,7 @@ void sctp_inq_free(struct sctp_inq *queue)
>          * free it as well.
>          */
>         if (queue->in_progress) {
> -               sctp_chunk_free(queue->in_progress);
> +               sctp_inq_chunk_free(queue->in_progress);
>                 queue->in_progress = NULL;
>         }
>  }
> @@ -130,9 +138,7 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
>                                 goto new_skb;
>                         }
>
> -                       if (chunk->head_skb)
> -                               chunk->skb = chunk->head_skb;
> -                       sctp_chunk_free(chunk);
> +                       sctp_inq_chunk_free(chunk);
>                         chunk = queue->in_progress = NULL;
>                 } else {
>                         /* Nothing to do. Next chunk in the packet, please. */
> --
> 2.43.0
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ