Received: by 10.223.185.111 with SMTP id b44csp914113wrg; Fri, 9 Mar 2018 16:43:54 -0800 (PST) X-Google-Smtp-Source: AG47ELs6qhoR167qtJL6CtCXcSr6jK60i+VaLmikIVPNl9Uc9UJW4COOlph4Jg7Sa2ZOzYxROauC X-Received: by 2002:a17:902:9882:: with SMTP id s2-v6mr374413plp.196.1520642634268; Fri, 09 Mar 2018 16:43:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520642634; cv=none; d=google.com; s=arc-20160816; b=waD07TYkQ5du6mWWvrPQRT8CQGVNqXrrdYv9CwyGYiZFX0+/DsYdf3rg+d4sRAH3NE SCRr9BrKCSk3TUH3hL6rSuDphyu+rjBOKo78fOEtE7/WXOVhPYyzmYgNPC5NiuMdDzC4 PKl1JNf9aYbwxo/yD4Fl541G+dE9thUnTvqTtPK1G4pA808zZ59ZBWCu9cDlex19bz3n 2BSNFrXJbuKBQ0XUqN3LuZe16rQCMJi92GBE65AhaSNNJyKcA4rPDu05ufElBy87rnee BPSwR4PlNWIaS3XrpMg4IJV6M+ctVKIFQUYpzAKE3qigfhK24/1uQpoXLQ4KRTPeoGcn UrIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=ziNswHYfba+Ks5obRYgt6zE1Xsm2MUglS6AxQRVagaY=; b=uXY2tvAgbzQ6WILnLuxSVvfPUlPnbWBiQxT8YDCFsJDzDtYNnGsvlyUpUUnSYCH9wj hcKUFroBzhzr4vjP5i3JYOV5FxEpWPOPx7acnlDnz5MhKjmnxLGZLyPDUO+TkP1B36V1 brTSVS1IURJ21Q0TF4LxwW5+pEvnvQj51nKP37lrEh4Tfz520gZ2TozZXWlPqDP5IjKo Tl6E2f7lKh/5lnFVruxLgNT1n8cN8DdNfMtfjRqZQQgZo4xMoP01xwgPbPopJgrpBxc5 1Nh6iX6o4aNubVybAUEu3nWYRf1UcNhCD/zTG7Ciu+td4mJEJ20zW8iKWomY1CePWXkf ZIvw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z23-v6si1792756plo.272.2018.03.09.16.43.39; Fri, 09 Mar 2018 16:43:54 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933530AbeCJAUv (ORCPT + 99 others); Fri, 9 Mar 2018 19:20:51 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:39296 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933477AbeCJAUs (ORCPT ); Fri, 9 Mar 2018 19:20:48 -0500 Received: from localhost (unknown [185.236.200.248]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id D7280105B; Sat, 10 Mar 2018 00:20:47 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alexey Kodanev , Marcelo Ricardo Leitner , Neil Horman , "David S. Miller" Subject: [PATCH 4.4 31/36] sctp: verify size of a new chunk in _sctp_make_chunk() Date: Fri, 9 Mar 2018 16:18:47 -0800 Message-Id: <20180310001809.079131255@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180310001807.213987241@linuxfoundation.org> References: <20180310001807.213987241@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Alexey Kodanev [ Upstream commit 07f2c7ab6f8d0a7e7c5764c4e6cc9c52951b9d9c ] When SCTP makes INIT or INIT_ACK packet the total chunk length can exceed SCTP_MAX_CHUNK_LEN which leads to kernel panic when transmitting these packets, e.g. the crash on sending INIT_ACK: [ 597.804948] skbuff: skb_over_panic: text:00000000ffae06e4 len:120168 put:120156 head:000000007aa47635 data:00000000d991c2de tail:0x1d640 end:0xfec0 dev: ... [ 597.976970] ------------[ cut here ]------------ [ 598.033408] kernel BUG at net/core/skbuff.c:104! [ 600.314841] Call Trace: [ 600.345829] [ 600.371639] ? sctp_packet_transmit+0x2095/0x26d0 [sctp] [ 600.436934] skb_put+0x16c/0x200 [ 600.477295] sctp_packet_transmit+0x2095/0x26d0 [sctp] [ 600.540630] ? sctp_packet_config+0x890/0x890 [sctp] [ 600.601781] ? __sctp_packet_append_chunk+0x3b4/0xd00 [sctp] [ 600.671356] ? sctp_cmp_addr_exact+0x3f/0x90 [sctp] [ 600.731482] sctp_outq_flush+0x663/0x30d0 [sctp] [ 600.788565] ? sctp_make_init+0xbf0/0xbf0 [sctp] [ 600.845555] ? sctp_check_transmitted+0x18f0/0x18f0 [sctp] [ 600.912945] ? sctp_outq_tail+0x631/0x9d0 [sctp] [ 600.969936] sctp_cmd_interpreter.isra.22+0x3be1/0x5cb0 [sctp] [ 601.041593] ? sctp_sf_do_5_1B_init+0x85f/0xc30 [sctp] [ 601.104837] ? sctp_generate_t1_cookie_event+0x20/0x20 [sctp] [ 601.175436] ? sctp_eat_data+0x1710/0x1710 [sctp] [ 601.233575] sctp_do_sm+0x182/0x560 [sctp] [ 601.284328] ? sctp_has_association+0x70/0x70 [sctp] [ 601.345586] ? sctp_rcv+0xef4/0x32f0 [sctp] [ 601.397478] ? sctp6_rcv+0xa/0x20 [sctp] ... Here the chunk size for INIT_ACK packet becomes too big, mostly because of the state cookie (INIT packet has large size with many address parameters), plus additional server parameters. Later this chunk causes the panic in skb_put_data(): skb_packet_transmit() sctp_packet_pack() skb_put_data(nskb, chunk->skb->data, chunk->skb->len); 'nskb' (head skb) was previously allocated with packet->size from u16 'chunk->chunk_hdr->length'. As suggested by Marcelo we should check the chunk's length in _sctp_make_chunk() before trying to allocate skb for it and discard a chunk if its size bigger than SCTP_MAX_CHUNK_LEN. Signed-off-by: Alexey Kodanev Acked-by: Marcelo Ricardo Leitner Acked-by: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sctp/sm_make_chunk.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c @@ -1367,10 +1367,14 @@ static struct sctp_chunk *_sctp_make_chu sctp_chunkhdr_t *chunk_hdr; struct sk_buff *skb; struct sock *sk; + int chunklen; + + chunklen = sizeof(*chunk_hdr) + paylen; + if (chunklen > SCTP_MAX_CHUNK_LEN) + goto nodata; /* No need to allocate LL here, as this is only a chunk. */ - skb = alloc_skb(WORD_ROUND(sizeof(sctp_chunkhdr_t) + paylen), - GFP_ATOMIC); + skb = alloc_skb(chunklen, GFP_ATOMIC); if (!skb) goto nodata;