Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp4385983pxb; Tue, 2 Nov 2021 08:54:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz1P0kVGmjFRFKN8Ic7eFmb7FPU3nTXIc+tzVoeTJzGlnJg4x44Wu5Co2AhQbusUZzOI4yb X-Received: by 2002:a05:6638:4094:: with SMTP id m20mr28689382jam.108.1635868445330; Tue, 02 Nov 2021 08:54:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635868445; cv=none; d=google.com; s=arc-20160816; b=I9f1pUYz07Cx4RcuaMZxBUOaYwvRsR6TCHRiPEsmt6DHSM4LfS2rSPYn7IVRncavvG wGCZ559k4cwLuVCryuDqh3Pr2Q1bfgIMFy4Z9mklvt1qdiH+mRkXC7LLHsOtZR+HJBgS R+uLI1Uzz55bENoi/BiW/a6AQEDU3dHUWTPctmByUY9WcACCDg6jvh1Gvi8hPmWwgfMr GlRUFpDazhY6sXBNb7pLKrNwAYWRqzWIJKJQw0TMD+PCzYQRKFsTMFaJFXLmdYT7xj5x O19UxX5QG0QGsbZuAqbhuQjdge+FBmr+Vtp9rh2cvEd36L2ADarV57TQcJpn6L6rxwTh 15oQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=qNSXok9Zz8jTGkHnVRqMqiB7rG0LwzRNIXnhSpIgUoM=; b=L0oAVDWbqkTQGm0B6pH8JKA0mHfWVn8SAynpznXi4Yxs0i5QTo97WITTLnkcJUPqBb x3o/QRI0Cj3SYTWZo6Z1Vm/A8EQQakGxPDeWib5yKbxDGHI/aXwDoWEsD/a9p15JaCMu MqIbkzuovOcv3cRJI2wpIJvMcFwl824WhZl+Oow7NzcqdRBNgUeThAm/Mtg4RM+Nx7W/ 3S7x0ZmEljy9AmPXjJ44nvoKiMMxnW912xdXqS1fQcv6ZgYFkAiWuwdB2EwMVVF3pbuu WPQjeuTAQUt3k2lxQ/Y0vHXUV5S1UckoUbcjVHvkyPctRpEjT+QSLxQc+z9ks6FgwfkJ Qt8w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=CT5GFiMV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p6si3481096jag.18.2021.11.02.08.53.52; Tue, 02 Nov 2021 08:54:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=CT5GFiMV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234343AbhKBPzT (ORCPT + 99 others); Tue, 2 Nov 2021 11:55:19 -0400 Received: from mail.kernel.org ([198.145.29.99]:60950 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231361AbhKBPzR (ORCPT ); Tue, 2 Nov 2021 11:55:17 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 1D5CF60F5A; Tue, 2 Nov 2021 15:52:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1635868362; bh=Xrn70LqAzhWxIRJf661+kK3WmUs5EGGtJg+gTiGHOFE=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=CT5GFiMVgs6DNOCS8EEG+x5j8sP8wFVWrVTY/gcboiI8IXRji/vUsx47ikU85bCMO XY0/E6bR08iEERevAHZtt2kumOVgwEPY9oe/J5S2vZBqMBPT5Q6aaZsjhop59QGrtn KY1gZczh5sAAZ2pcqXZlRVKicXjAcNn8+7gmNawE= Date: Tue, 2 Nov 2021 16:52:28 +0100 From: Greg Kroah-Hartman To: Alexey Khoroshilov Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Xin Long , Marcelo Ricardo Leitner , Jakub Kicinski , Sasha Levin , ldv-project@linuxtesting.org Subject: Re: [PATCH 5.10 68/77] sctp: add vtag check in sctp_sf_violation Message-ID: References: <20211101082511.254155853@linuxfoundation.org> <20211101082525.833757923@linuxfoundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 02, 2021 at 05:12:16PM +0300, Alexey Khoroshilov wrote: > Hello! > > It seems the patch may lead to NULL pointer dereference. > > > 1. sctp_sf_violation_chunk() calls sctp_sf_violation() with asoc arg > equal to NULL. > > static enum sctp_disposition sctp_sf_violation_chunk( > ... > { > ... > if (!asoc) > return sctp_sf_violation(net, ep, asoc, type, arg, commands); > ... > > 2. Newly added code of sctp_sf_violation() calls to sctp_vtag_verify() > with asoc arg equal to NULL. > > enum sctp_disposition sctp_sf_violation(struct net *net, > ... > { > struct sctp_chunk *chunk = arg; > > if (!sctp_vtag_verify(chunk, asoc)) > return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); > ... > > 3. sctp_vtag_verify() dereferences asoc without any check. > > /* Check VTAG of the packet matches the sender's own tag. */ > static inline int > sctp_vtag_verify(const struct sctp_chunk *chunk, > const struct sctp_association *asoc) > { > /* RFC 2960 Sec 8.5 When receiving an SCTP packet, the endpoint > * MUST ensure that the value in the Verification Tag field of > * the received SCTP packet matches its own Tag. If the received > * Verification Tag value does not match the receiver's own > * tag value, the receiver shall silently discard the packet... > */ > if (ntohl(chunk->sctp_hdr->vtag) != asoc->c.my_vtag) > return 0; > > > Found by Linux Verification Center (linuxtesting.org) with SVACE tool. These issues should all be the same with Linus's tree, so can you please submit patches to the normal netdev developers and mailing list to resolve the above issues? thanks, greg k-h