Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2351487imm; Thu, 7 Jun 2018 09:12:07 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLAODnEkzTTTnC7lbYKbRcsgRdqqBqmaNeBFPEE1vWI6N05eYJkFy+9pi/U7RG8Jjn0vS9R X-Received: by 2002:a17:902:6546:: with SMTP id d6-v6mr2689059pln.196.1528387927075; Thu, 07 Jun 2018 09:12:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528387927; cv=none; d=google.com; s=arc-20160816; b=Pk+KGBxKxzIuEsvXaRSCAlYV/Ym7mFvhLhaUdc9V/8sLJ48zbMCRke5KUfu191Wsdr Pb9H1LosEU9k3VlsIlRcwPWVQdxP2LiaFfr+dtkzzPIUPQ2GL6Zv+AeWVnGHWI+1FjSM LGYCczZe5aSVb7lweY8eaJZM0oTY/y5cxxQkJfkkuvI3iIuPbbbNIB4OAo8baHVvlINu ovhIZNlMkt8fGvRN20wqA3+IfDgn7xixRKTRrTr+Z5D5P2uoJ52EdqKtId+ZJ3LBdIWR puZQtfwxxrrRI7Aev0cZvVLmJ7srYeEu/fvii/aHqNVfR2I1DVKt3t0medpSiQ4uFf+B qU1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=/O24MAscGzdQg5Jlt3tAJmFI4oRl36ZIYpu+fMNFvB0=; b=UNwC92Jf7RHGzTgie4aym/Y0l0G2TmSpq57fkCNfAgfq5349LIpAvgtdG+HE6FVA+g LfDB+NgTYgQgs2mJ+rkwcJ5jbLFNAdVHyTNEMdz48GilJkXttkfrmLC2jkyl9h/VGWik 26ESdQQ+0HmwnyRzKFTfCwym1q6wWnl4z854j8e8UVhc8xFBgf8Vld4LDq67aGT+tCsA 6XvEAgooVpzPgmDwoPvVQuYEnCSXGFnZY0BT0ZZnrBgyMHJCOdeXF9kKwKn8TZKVFUVy OnfTDKIc/r4IzjrOnBjJ/XO/2x/NrfBEzILeWfi9yzSCC4YHuovp3Nhc/+7yYPULdgOo krmA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 34-v6si55013211plp.409.2018.06.07.09.11.52; Thu, 07 Jun 2018 09:12:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964820AbeFGQKq (ORCPT + 99 others); Thu, 7 Jun 2018 12:10:46 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:39184 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932980AbeFGOJB (ORCPT ); Thu, 7 Jun 2018 10:09:01 -0400 Received: from [148.252.241.226] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1fQvb1-0005Zv-QQ; Thu, 07 Jun 2018 15:08:59 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1fQvax-0002hn-OR; Thu, 07 Jun 2018 15:08:55 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "David S. Miller" , "Marcelo Ricardo Leitner" , "Alexey Kodanev" , "Neil Horman" Date: Thu, 07 Jun 2018 15:05:21 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 022/410] sctp: verify size of a new chunk in _sctp_make_chunk() In-Reply-To: X-SA-Exim-Connect-IP: 148.252.241.226 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.57-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Alexey Kodanev commit 07f2c7ab6f8d0a7e7c5764c4e6cc9c52951b9d9c upstream. When SCTP makes INIT or INIT_ACK packet the total chunk length can exceed SCTP_MAX_CHUNK_LEN which leads to kernel panic when transmitting these packets, e.g. the crash on sending INIT_ACK: [ 597.804948] skbuff: skb_over_panic: text:00000000ffae06e4 len:120168 put:120156 head:000000007aa47635 data:00000000d991c2de tail:0x1d640 end:0xfec0 dev: ... [ 597.976970] ------------[ cut here ]------------ [ 598.033408] kernel BUG at net/core/skbuff.c:104! [ 600.314841] Call Trace: [ 600.345829] [ 600.371639] ? sctp_packet_transmit+0x2095/0x26d0 [sctp] [ 600.436934] skb_put+0x16c/0x200 [ 600.477295] sctp_packet_transmit+0x2095/0x26d0 [sctp] [ 600.540630] ? sctp_packet_config+0x890/0x890 [sctp] [ 600.601781] ? __sctp_packet_append_chunk+0x3b4/0xd00 [sctp] [ 600.671356] ? sctp_cmp_addr_exact+0x3f/0x90 [sctp] [ 600.731482] sctp_outq_flush+0x663/0x30d0 [sctp] [ 600.788565] ? sctp_make_init+0xbf0/0xbf0 [sctp] [ 600.845555] ? sctp_check_transmitted+0x18f0/0x18f0 [sctp] [ 600.912945] ? sctp_outq_tail+0x631/0x9d0 [sctp] [ 600.969936] sctp_cmd_interpreter.isra.22+0x3be1/0x5cb0 [sctp] [ 601.041593] ? sctp_sf_do_5_1B_init+0x85f/0xc30 [sctp] [ 601.104837] ? sctp_generate_t1_cookie_event+0x20/0x20 [sctp] [ 601.175436] ? sctp_eat_data+0x1710/0x1710 [sctp] [ 601.233575] sctp_do_sm+0x182/0x560 [sctp] [ 601.284328] ? sctp_has_association+0x70/0x70 [sctp] [ 601.345586] ? sctp_rcv+0xef4/0x32f0 [sctp] [ 601.397478] ? sctp6_rcv+0xa/0x20 [sctp] ... Here the chunk size for INIT_ACK packet becomes too big, mostly because of the state cookie (INIT packet has large size with many address parameters), plus additional server parameters. Later this chunk causes the panic in skb_put_data(): skb_packet_transmit() sctp_packet_pack() skb_put_data(nskb, chunk->skb->data, chunk->skb->len); 'nskb' (head skb) was previously allocated with packet->size from u16 'chunk->chunk_hdr->length'. As suggested by Marcelo we should check the chunk's length in _sctp_make_chunk() before trying to allocate skb for it and discard a chunk if its size bigger than SCTP_MAX_CHUNK_LEN. Signed-off-by: Alexey Kodanev Acked-by: Marcelo Ricardo Leitner Acked-by: Neil Horman Signed-off-by: David S. Miller [bwh: Backported to 3.16: - Keep using WORD_ROUND() instead of SCTP_PAD4() - Adjust context] Signed-off-by: Ben Hutchings --- net/sctp/sm_make_chunk.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c @@ -1367,10 +1367,14 @@ static struct sctp_chunk *_sctp_make_chu sctp_chunkhdr_t *chunk_hdr; struct sk_buff *skb; struct sock *sk; + int chunklen; + + chunklen = WORD_ROUND(sizeof(*chunk_hdr) + paylen); + if (chunklen > SCTP_MAX_CHUNK_LEN) + goto nodata; /* No need to allocate LL here, as this is only a chunk. */ - skb = alloc_skb(WORD_ROUND(sizeof(sctp_chunkhdr_t) + paylen), - GFP_ATOMIC); + skb = alloc_skb(chunklen, GFP_ATOMIC); if (!skb) goto nodata;