Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp4296244pxb; Tue, 2 Nov 2021 07:26:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyRmvf+dlivLOBjtsNIy58vEn71JlCfvLShw6u8wn+GCW8vM8zDv5XYTAVug2OPU4usjkSt X-Received: by 2002:a50:fa99:: with SMTP id w25mr48169229edr.324.1635863181246; Tue, 02 Nov 2021 07:26:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635863181; cv=none; d=google.com; s=arc-20160816; b=l2F2E0jSp+JbYdvONkJow07N+wHivN7AUoOP6EXsOExkvDfIkSnml6Q/s+OuZJucqH lStUadO9VJh2l3uq9sEJMaJw48IuXoZKEkG1U1Sxy+LWebMdZ7obWGEvjmAF0MzpR7g/ CEkw49dIjZ1Ho7JYBnvuPoCULSZL+Nl+X1fG8muvYQdcnIkooy6h4VGty8SHVyI0Q+iI PZC8NETJE3t3ZxZPi5cFeimgxfZuNaNYACVMJ7LDM521IEbnWdPVxhpp10n3Dwv89PjP /mmWnLEJTOlaBGFjFjOhv5KJCTqIzMtkOOEQIr/dILMU8NhAlBy5eyPsRLTmanZDBRmg 2wxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:autocrypt:from :references:cc:to:subject; bh=msmNGWzaZmv19tKrZGGnojX/RxR/VkdL7eBP7yTiTBk=; b=CleVqkabgjtn/Nk0i9FChCOlrgt202uO4eQqwfSYvpk2fPyb3eQvvCrJNrgxcOOm/f GrMOUEC3jEQyzrsTd1AG4Mb0mAt3YR7dKBaYZ72LOCi/aAfC5xssftUUiRNooOFVwPLt sDxQZQVYP6ptpFIEecAFCx08oX9J3ixmj4+xx7vnaKvR7OYpLIqtnNmFKk/glGJgGUE7 KxiY5p/aZfro0bVljAt3SAF+m0Cfq0kd+hU9xRHo8SfV1pYpD/B+ByALAsjHPci4YJ3I DWJXOkGTH+1W4brHbi6eV3qhP8A8ljv6U7VW+0kfijQGZRHcShegzwft3VCeZhOAt908 zPyA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id hz1si1766436ejc.642.2021.11.02.07.25.55; Tue, 02 Nov 2021 07:26:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230483AbhKBOYT (ORCPT + 99 others); Tue, 2 Nov 2021 10:24:19 -0400 Received: from mail.ispras.ru ([83.149.199.84]:57446 "EHLO mail.ispras.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229530AbhKBOYS (ORCPT ); Tue, 2 Nov 2021 10:24:18 -0400 X-Greylist: delayed 560 seconds by postgrey-1.27 at vger.kernel.org; Tue, 02 Nov 2021 10:24:17 EDT Received: from [10.10.2.219] (unknown [10.10.2.219]) by mail.ispras.ru (Postfix) with ESMTPSA id D445E40755C4; Tue, 2 Nov 2021 14:12:16 +0000 (UTC) Subject: Re: [PATCH 5.10 68/77] sctp: add vtag check in sctp_sf_violation To: Greg Kroah-Hartman , linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org, Xin Long , Marcelo Ricardo Leitner , Jakub Kicinski , Sasha Levin , ldv-project@linuxtesting.org References: <20211101082511.254155853@linuxfoundation.org> <20211101082525.833757923@linuxfoundation.org> From: Alexey Khoroshilov Autocrypt: addr=khoroshilov@ispras.ru; prefer-encrypt=mutual; keydata= xsFNBFtq9eIBEACxmOIPDht+aZvO9DGi4TwnZ1WTDnyDVz3Nnh0rlQCK8IssaT6wE5a95VWo iwOWalcL9bJMHQvw60JwZKFjt9oH2bov3xzx/JRCISQB4a4U1J/scWvPtabbB3t+VAodF5KZ vZ2gu/Q/Wa5JZ9aBH0IvNpBAAThFg1rBXKh7wNqrhsQlMLg+zTSK6ZctddNl6RyaJvAmbaTS sSeyUKXiabxHn3BR9jclXfmPLfWuayinBvW4J3vS+bOhbLxeu3MO0dUqeX/Nl8EAhvzo0I2d A0vRu/Ze1wU3EQYT6M8z3i1b3pdLjr/i+MI8Rgijs+TFRAhxRw/+0vHGTg6Pn02t0XkycxQR mhH3v0kVTvMyM7YSI7yXvd0QPxb1RX9AGmvbJu7eylzcq9Jla+/T3pOuWsJkbvbvuFKKmmYY WnAOR7vu/VNVfiy4rM0bfO14cIuEG+yvogcPuMmQGYu6ZwS9IdgZIOAkO57M/6wR0jIyfxrG FV3ietPtVcqeDVrcShKyziRLJ+Xcsg9BLdnImAqVQomYr27pyNMRL5ILuT7uOuAQPDKBksK+ l2Fws0d5iUifqnXSPuYxqgS4f8SQLS7ECxvCGVVbkEEng9vkkmyrF6wM86BZ9apPGDFbopiK 7GRxQtSGszVv83abaVb8aDsAudJIp7lLaIuXLZAe1r+ycYpEtQARAQABzSpBbGV4ZXkgS2hv cm9zaGlsb3YgPGtob3Jvc2hpbG92QGlzcHJhcy5ydT7CwX0EEwEIACcFAltq9eICGwMFCRLM AwAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQ2B/JSzCwrEWLaA/+NFZfyhU0vJzFtYsk yaqx8nWZLrAoUK7VcobH0lJH6lfGbarO5JpENaIiTP12YZ4xO+j3GGJtLy2gvnpypGnxmiAl RqPt7WeAIj6oqPrUs2QF7i4SOiPtku/NrysI1zHzlA8yqUduBtam5rdQeLRNCJiEED1fU8sp +DgJBN/OHEDyAag2hu1KFKWuPfQ+QGpXYZb+1NW/hKwvvwCNVyypELAfFnkketFXjIMwHnL8 ZPqJZlkvkpxuRXOaXPL9NFhZnC/WS+NJ81L3pr+w6eo3xTPYZvRW8glvqlEDgHqr3uMGIaes nwfRXLHp+TC1ht6efCXzdPyMZ1E7HXQN9foKisI1V5iQFhN+CT3dbsguQI4e10F5ql0TZUJY SMzvY0eObs6TWRdD/Ha7Y5rLmZ54R9sxumpZNcJzktfgm9f0XfeqVEJUn/40MRDD+l2W12Db Jkko+sbtAEw+f+/j3uz8xOE+Uv4kwFC5a6JKgdX88oigHnpAs3FvffP594Loi3ibFrQUW5wH bXh5Ni+l1GKEQ0PHMk+KQQT9L2r9s7C0Nh8XzwdpOshZWsrNSZqcG+01wrmUhyX2uSaoZ07I /+KZURlMSqI71X6lkMWlB3SyThvYhHgnR0EGGTerwM1MaVjHN+Z6lPmsKNxG8lzCeWeZ6peA c5oUHV4WQ8Ux9BM8saLOwU0EW2r14gEQAMz+5u+X7j1/dT4WLVRQaE1Shnd2dKBn2E7fgo/N 4JIY6wHD/DJoWYQpCJjjvBYSonvQsHicvDW8lPh2EXgZ9Fi8AHKT2mVPitVy+uhfWa/0FtsC e3hPfrjTcN7BUcXlIjmptxIoDbvQrNfIWUGdWiyDj4EDfABW/kagXqaBwF2HdcDaNDGggD1c DglA0APjezIyTGnGMKsi5QSSlOLm8OZEJMj5t+JL6QXrruijNb5Asmz5mpRQrak7DpGOskjK fClm/0oy2zDvWuoXJa+dm3YFr43V+c5EIMA4LpGk63Eg+5NltQ/gj0ycgD5o6reCbjLz4R9D JzBezK/KOQuNG5qKUTMbOHWaApZnZ6BDdOVflkV1V+LMo5GvIzkATNLm/7Jj6DmYmXbKoSAY BKZiJWqzNsL1AJtmJA1y5zbWX/W4CpNs8qYMYG8eTNOqunzopEhX7T0cOswcTGArZYygiwDW BuIS83QRc7udMlQg79qyMA5WqS9g9g/iodlssR9weIVoZSjfjhm5NJ3FmaKnb56h6DSvFgsH xCa4s1DGnZGSAtedj8E3ACOsEfu4J/WqXEmvMYNBdGos2YAc+g0hjuOB10BSD98d38xP1vPc qNrztIF+TODAl1dNwU4rCSdGQymsrMVFuXnHMH4G+dHvMAwWauzDbnILHAGFyJtfxVefABEB AAHCwWUEGAEIAA8FAltq9eICGwwFCRLMAwAACgkQ2B/JSzCwrEU3Rg//eFWHXqTQ5CKw4KrX kTFxdXnYKJ5zZB0EzqU6m/FAV7snmygFLbOXYlcMW2Fh306ivj9NKJrlOaPbUzzyDf8dtDAg nSbH156oNJ9NHkz0mrxFMpJA2E5AUemOFx57PUYt93pR2B7bF2zGua4gMC+vorDQZjX9kvrL Kbenh3boFOe1tUaiRRvEltVFLOg+b+CMkKVbLIQe/HkyKJH5MFiHAF7QxnPHaxyO7QbWaUmF 6BHVujxAGvNgkrYJb6dpiNNZSFNRodaSToU5oM+z1dCrNNtN3u4R7AYr6DDIDxoSzR4k0ZaG uSeqh4xxQCD7vLT3JdZDyhYUJgy9mvSXdkXGdBIhVmeLch2gaWNf5UOutVJwdPbIaUDRjVoV Iw6qjKq+mnK3ttuxW5Aeg9Y1OuKEvCVu+U/iEEJxx1JRmVAYq848YqtVPY9DkZdBT4E9dHqO n8lr+XPVyMN6SBXkaR5tB6zSkSDrIw+9uv1LN7QIri43fLqhM950ltlveROEdLL1bI30lYO5 J07KmxgOjrvY8X9WOC3O0k/nFpBbbsM4zUrmF6F5wIYO99xafQOlfpUnVtbo3GnBR2LIcPYj SyY3dW28JXo2cftxIOr1edJ+fhcRqYRrPzJrQBZcE2GZjRO8tz6IOMAsc+WMtVfj5grgVHCu kK2E04Fb+Zk1eJvHYRc= Message-ID: Date: Tue, 2 Nov 2021 17:12:16 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20211101082525.833757923@linuxfoundation.org> Content-Type: text/plain; charset=utf-8 Content-Language: ru-RU Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello! It seems the patch may lead to NULL pointer dereference. 1. sctp_sf_violation_chunk() calls sctp_sf_violation() with asoc arg equal to NULL. static enum sctp_disposition sctp_sf_violation_chunk( ... { ... if (!asoc) return sctp_sf_violation(net, ep, asoc, type, arg, commands); ... 2. Newly added code of sctp_sf_violation() calls to sctp_vtag_verify() with asoc arg equal to NULL. enum sctp_disposition sctp_sf_violation(struct net *net, ... { struct sctp_chunk *chunk = arg; if (!sctp_vtag_verify(chunk, asoc)) return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ... 3. sctp_vtag_verify() dereferences asoc without any check. /* Check VTAG of the packet matches the sender's own tag. */ static inline int sctp_vtag_verify(const struct sctp_chunk *chunk, const struct sctp_association *asoc) { /* RFC 2960 Sec 8.5 When receiving an SCTP packet, the endpoint * MUST ensure that the value in the Verification Tag field of * the received SCTP packet matches its own Tag. If the received * Verification Tag value does not match the receiver's own * tag value, the receiver shall silently discard the packet... */ if (ntohl(chunk->sctp_hdr->vtag) != asoc->c.my_vtag) return 0; Found by Linux Verification Center (linuxtesting.org) with SVACE tool. -- Best regards, Alexey Khoroshilov Linux Verification Center, ISPRAS On 01.11.2021 12:17, Greg Kroah-Hartman wrote: > From: Xin Long > > [ Upstream commit aa0f697e45286a6b5f0ceca9418acf54b9099d99 ] > > sctp_sf_violation() is called when processing HEARTBEAT_ACK chunk > in cookie_wait state, and some other places are also using it. > > The vtag in the chunk's sctphdr should be verified, otherwise, as > later in chunk length check, it may send abort with the existent > asoc's vtag, which can be exploited by one to cook a malicious > chunk to terminate a SCTP asoc. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Xin Long > Acked-by: Marcelo Ricardo Leitner > Signed-off-by: Jakub Kicinski > Signed-off-by: Sasha Levin > --- > net/sctp/sm_statefuns.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c > index 0cfbf6046bf8..324c0222d9e6 100644 > --- a/net/sctp/sm_statefuns.c > +++ b/net/sctp/sm_statefuns.c > @@ -4549,6 +4549,9 @@ enum sctp_disposition sctp_sf_violation(struct net *net, > { > struct sctp_chunk *chunk = arg; > > + if (!sctp_vtag_verify(chunk, asoc)) > + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); > + > /* Make sure that the chunk has a valid length. */ > if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) > return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, >