Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp2453778imd; Fri, 2 Nov 2018 11:40:19 -0700 (PDT) X-Google-Smtp-Source: AJdET5crk+YCBriYw4HDXS+diXmdSHNRTAQb2NziNiXHss4m+4mji3IoX7yIHsIgeGlU+08+Aaoj X-Received: by 2002:a63:4b60:: with SMTP id k32mr11859081pgl.186.1541184019165; Fri, 02 Nov 2018 11:40:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541184019; cv=none; d=google.com; s=arc-20160816; b=kcOS2ClzpUG4TkDbL7RaEekV+4Ka3CQhV05VdyAUA4Jk8K/s8SnLo9P/tKUwbIlkC8 +ICDNoj7UkzcnAc68MMxHV90S1JwVss6YWOdBbTbX/DDxgv6ZaT7byWP8fye3fiMtf4y Y28SGrqqoZqmZOtnSsnnCWXqCF0oUyFLSJI5eIOfaHSMIR3e8X+R6QLMmaq57HSc7BXy lNI6Ae9rKsED435W8vM1AgUq2rPE7r3PSnjzuirY4tzx6EoObICzIpfIon0xKzjjCypd 6KWdPUuIJfvNovO+cHinzL4bMaDcDbbzyMXOSTTVsgVsoxf4BRNnuIng6m5bdjW1vg1I Fd5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=aKHUGjg82sSgY9m2sSj8Ifue6jPyCaNokab6ZPAk64A=; b=GHW3RNX1EJMeM+/FjAOT3b0pcv4ovj563+oZJQ/9cF/20c3oJhzbHzvJeC1gymqaTZ r6xYJ2Zc6LuomhYhzwMKnNs1UCnj7OQuH7Y2QDyEFckcUb/JWgu9KSS1JwHNdW5OZiS4 f3cyiYZh3zLtxUgMsxcJAy9OOoZD/q/bKynIe3O2NAvv9SUddjt3IVhBaACzr6rtsIPM T2bLYWE1MNEFM9y9gQd/qWfyr8XH21zM5Np2KDVASklMjIxz6JBr+FobCEyAn/sDCNi/ iEvR6sUPvxtNOASijaY16aZC99DTtAZY7fd0sZOo5QGD+KkK2dTqzly0QtFQP2ujayPp zLXw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=N+BFjBom; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z67-v6si36619497pfz.5.2018.11.02.11.40.04; Fri, 02 Nov 2018 11:40:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=N+BFjBom; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728661AbeKCDp4 (ORCPT + 99 others); Fri, 2 Nov 2018 23:45:56 -0400 Received: from mail.kernel.org ([198.145.29.99]:39588 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727556AbeKCDp4 (ORCPT ); Fri, 2 Nov 2018 23:45:56 -0400 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9BB992082D; Fri, 2 Nov 2018 18:37:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541183865; bh=JjvdSpUIAiCbUnUD2iTDHQ8F7XTEp4qEeUlgHIt1dGc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=N+BFjBomlqsg2zbROvmBgqGKIcLKw+MXcAGzMMF1SqX5eyn0onr7WiiXuEMXXhHmY FdFZkbXoMm/bVwjZmTkagqzHQOOjiEjf3MNC7+EuWmqWHuVvE14vn0t5s4qJQXh90e HXXmhwJgIKxAD4AYC/bnmWV4kt3ozWq5kcLE3/9U= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+5da0d0a72a9e7d791748@syzkaller.appspotmail.com, Marcelo Ricardo Leitner , Xin Long , "David S. Miller" Subject: [PATCH 4.19 20/24] sctp: check policy more carefully when getting pr status Date: Fri, 2 Nov 2018 19:34:53 +0100 Message-Id: <20181102182842.839118398@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181102182839.725385066@linuxfoundation.org> References: <20181102182839.725385066@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Xin Long [ Upstream commit 713358369382cebf92f6e98ce2005f94e7344931 ] When getting pr_assocstatus and pr_streamstatus by sctp_getsockopt, it doesn't correctly process the case when policy is set with SCTP_PR_SCTP_ALL | SCTP_PR_SCTP_MASK. It even causes a slab-out-of-bounds in sctp_getsockopt_pr_streamstatus(). This patch fixes it by return -EINVAL for this case. Fixes: 0ac1077e3a54 ("sctp: get pr_assoc and pr_stream all status with SCTP_PR_SCTP_ALL") Reported-by: syzbot+5da0d0a72a9e7d791748@syzkaller.appspotmail.com Suggested-by: Marcelo Ricardo Leitner Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sctp/socket.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -7101,14 +7101,15 @@ static int sctp_getsockopt_pr_assocstatu } policy = params.sprstat_policy; - if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))) + if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) || + ((policy & SCTP_PR_SCTP_ALL) && (policy & SCTP_PR_SCTP_MASK))) goto out; asoc = sctp_id2assoc(sk, params.sprstat_assoc_id); if (!asoc) goto out; - if (policy & SCTP_PR_SCTP_ALL) { + if (policy == SCTP_PR_SCTP_ALL) { params.sprstat_abandoned_unsent = 0; params.sprstat_abandoned_sent = 0; for (policy = 0; policy <= SCTP_PR_INDEX(MAX); policy++) { @@ -7160,7 +7161,8 @@ static int sctp_getsockopt_pr_streamstat } policy = params.sprstat_policy; - if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))) + if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) || + ((policy & SCTP_PR_SCTP_ALL) && (policy & SCTP_PR_SCTP_MASK))) goto out; asoc = sctp_id2assoc(sk, params.sprstat_assoc_id);