On 04/17/2014 11:26, Daniel Borkmann wrote: > From: Vlad Yasevich <vyasevic@xxxxxxxxxx> > > Currently, it is possible to create an SCTP socket, then switch > auth_enable via sysctl setting to 1 and crash the system on connect: > > Oops[#1]: > CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1 > task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000 > [...] > Call Trace: > [<ffffffff8043c4e8>] sctp_auth_asoc_set_default_hmac+0x68/0x80 > [<ffffffff8042b300>] sctp_process_init+0x5e0/0x8a4 > [<ffffffff8042188c>] sctp_sf_do_5_1B_init+0x234/0x34c > [<ffffffff804228c8>] sctp_do_sm+0xb4/0x1e8 > [<ffffffff80425a08>] sctp_endpoint_bh_rcv+0x1c4/0x214 > [<ffffffff8043af68>] sctp_rcv+0x588/0x630 > [<ffffffff8043e8e8>] sctp6_rcv+0x10/0x24 > [<ffffffff803acb50>] ip6_input+0x2c0/0x440 > [<ffffffff8030fc00>] __netif_receive_skb_core+0x4a8/0x564 > [<ffffffff80310650>] process_backlog+0xb4/0x18c > [<ffffffff80313cbc>] net_rx_action+0x12c/0x210 > [<ffffffff80034254>] __do_softirq+0x17c/0x2ac > [<ffffffff800345e0>] irq_exit+0x54/0xb0 > [<ffffffff800075a4>] ret_from_irq+0x0/0x4 > [<ffffffff800090ec>] rm7k_wait_irqoff+0x24/0x48 > [<ffffffff8005e388>] cpu_startup_entry+0xc0/0x148 > [<ffffffff805a88b0>] start_kernel+0x37c/0x398 > Code: dd0900b8 000330f8 0126302d <dcc60000> 50c0fff1 0047182a a48306a0 > 03e00008 00000000 > ---[ end trace b530b0551467f2fd ]--- > Kernel panic - not syncing: Fatal exception in interrupt > > What happens while auth_enable=0 in that case is, that > ep->auth_hmacs is initialized to NULL in sctp_auth_init_hmacs() > when endpoint is being created. > > After that point, if an admin switches over to auth_enable=1, > the machine can crash due to NULL pointer dereference during > reception of an INIT chunk. When we enter sctp_process_init() > via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk, > the INIT verification succeeds and while we walk and process > all INIT params via sctp_process_param() we find that > net->sctp.auth_enable is set, therefore do not fall through, > but invoke sctp_auth_asoc_set_default_hmac() instead, and thus, > dereference what we have set to NULL during endpoint > initialization phase. > > The fix is to make auth_enable immutable by caching its value > during endpoint initialization, so that its original value is > being carried along until destruction. The bug seems to originate > from the very first days. > > Fix in joint work with Daniel Borkmann. > > Reported-by: Joshua Kinard <kumba@xxxxxxxxxx> > Signed-off-by: Vlad Yasevich <vyasevic@xxxxxxxxxx> > Signed-off-by: Daniel Borkmann <dborkman@xxxxxxxxxx> This solves the problem for me, thanks! Tested-by: Joshua Kinard <kumba@xxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-sctp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
