Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp725003imm; Thu, 13 Sep 2018 06:52:52 -0700 (PDT) X-Google-Smtp-Source: ANB0Vdais6rHKa8xpOv1YzMEzXzNOBazqOX4YteVctM0FWpk7gj26BD38JH0jQn1zeWZxHhGO7kW X-Received: by 2002:a63:f14d:: with SMTP id o13-v6mr7258477pgk.236.1536846772445; Thu, 13 Sep 2018 06:52:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536846772; cv=none; d=google.com; s=arc-20160816; b=wAGTtwhxqsn80NKXZcXHv0nlyhQJgMnK3dMH8sUS+Mu52XIvxbF44BvSa7AAu3zP9N nNgs82UJrmoLVAlEzBWiboIg2HS08s7aX0NMhSJRbHsvIyzmJImrXRjg0l4PHP3kBYV5 96L/4dipiXhipnrbwyFKIC590MgL66r9L/hmWDNFgMcKHidqQlXLFCLkzBOBObt98ASj qvcu0m0bNL9ixBsNfbxdwBzk+SolfeYR+e0X/WSLXXzAQigkC5Zpx6ls5GS4I7OFwEAH Nb6Kmm64dVVuiAPsdJfr9W5dOI4prPhRr1GJTLWOBRCWA6Z5dYVRm0/rym2m+WNBw3rT IrMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=1/IsfcoAIlTamcTLO4xVzExWa9W4NO0RmQWMrKkVwOM=; b=aTZSohl76boBZwwcxA2IFzTYU/6XnxWNauDHjbnlU/knVqkwNnJSPYQVL+8+lB+v/D vevdDFrx/KGohjxqsMlDPsOqKSOJDY4ZAvKI+2o5Np9QT7pTJD1FPO6e6P5gWRUWxoEm JXUlPWwXeReB2FiwiR1xIa1qkGc+AdpXVke1HnBPIU0YonNmyDi9gym/AXs8COkadhU9 Id1PNEfbM+qlop1cjZGUVCQEKM9NT90sLP32aBhwQ0/1wrUWFmMbOFM0UxwWrkeTW5PG xKX7+QoptLDShbERAfBOmIHiaxj7UhMDvw6MTH2iRih1+AW3n4fBlijREIuCtRy7Bydy BwuA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f10-v6si4333304pgk.367.2018.09.13.06.52.36; Thu, 13 Sep 2018 06:52:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730937AbeIMTBs (ORCPT + 99 others); Thu, 13 Sep 2018 15:01:48 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:33390 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730119AbeIMTBs (ORCPT ); Thu, 13 Sep 2018 15:01:48 -0400 Received: from localhost (ip-213-127-77-73.ip.prioritytelecom.net [213.127.77.73]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 617B5D10; Thu, 13 Sep 2018 13:52:13 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+fe62a0c9aa6a85c6de16@syzkaller.appspotmail.com, Xin Long , Neil Horman , Marcelo Ricardo Leitner , "David S. Miller" Subject: [PATCH 4.18 033/197] sctp: hold transport before accessing its asoc in sctp_transport_get_next Date: Thu, 13 Sep 2018 15:29:42 +0200 Message-Id: <20180913131842.884774588@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180913131841.568116777@linuxfoundation.org> References: <20180913131841.568116777@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Xin Long [ Upstream commit bab1be79a5169ac748d8292b20c86d874022d7ba ] As Marcelo noticed, in sctp_transport_get_next, it is iterating over transports but then also accessing the association directly, without checking any refcnts before that, which can cause an use-after-free Read. So fix it by holding transport before accessing the association. With that, sctp_transport_hold calls can be removed in the later places. Fixes: 626d16f50f39 ("sctp: export some apis or variables for sctp_diag and reuse some for proc") Reported-by: syzbot+fe62a0c9aa6a85c6de16@syzkaller.appspotmail.com Signed-off-by: Xin Long Acked-by: Neil Horman Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sctp/proc.c | 4 ---- net/sctp/socket.c | 22 +++++++++++++++------- 2 files changed, 15 insertions(+), 11 deletions(-) --- a/net/sctp/proc.c +++ b/net/sctp/proc.c @@ -260,8 +260,6 @@ static int sctp_assocs_seq_show(struct s } transport = (struct sctp_transport *)v; - if (!sctp_transport_hold(transport)) - return 0; assoc = transport->asoc; epb = &assoc->base; sk = epb->sk; @@ -318,8 +316,6 @@ static int sctp_remaddr_seq_show(struct } transport = (struct sctp_transport *)v; - if (!sctp_transport_hold(transport)) - return 0; assoc = transport->asoc; list_for_each_entry_rcu(tsp, &assoc->peer.transport_addr_list, --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -4881,9 +4881,14 @@ struct sctp_transport *sctp_transport_ge break; } + if (!sctp_transport_hold(t)) + continue; + if (net_eq(sock_net(t->asoc->base.sk), net) && t->asoc->peer.primary_path == t) break; + + sctp_transport_put(t); } return t; @@ -4893,13 +4898,18 @@ struct sctp_transport *sctp_transport_ge struct rhashtable_iter *iter, int pos) { - void *obj = SEQ_START_TOKEN; + struct sctp_transport *t; + + if (!pos) + return SEQ_START_TOKEN; - while (pos && (obj = sctp_transport_get_next(net, iter)) && - !IS_ERR(obj)) - pos--; + while ((t = sctp_transport_get_next(net, iter)) && !IS_ERR(t)) { + if (!--pos) + break; + sctp_transport_put(t); + } - return obj; + return t; } int sctp_for_each_endpoint(int (*cb)(struct sctp_endpoint *, void *), @@ -4958,8 +4968,6 @@ again: tsp = sctp_transport_get_idx(net, &hti, *pos + 1); for (; !IS_ERR_OR_NULL(tsp); tsp = sctp_transport_get_next(net, &hti)) { - if (!sctp_transport_hold(tsp)) - continue; ret = cb(tsp, p); if (ret) break;