Patch "sctp: handle the error returned from sctp_auth_asoc_init_active_key" has been added to the 5.10-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    sctp: handle the error returned from sctp_auth_asoc_init_active_key

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     sctp-handle-the-error-returned-from-sctp_auth_asoc_i.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 5d26c99bc698397e3c367f6ebaa1a3ac75ac5772
Author: Xin Long <lucien.xin@xxxxxxxxx>
Date:   Wed Sep 28 14:10:13 2022 -0400

    sctp: handle the error returned from sctp_auth_asoc_init_active_key
    
    [ Upstream commit 022152aaebe116a25c39818a07e175a8cd3c1e11 ]
    
    When it returns an error from sctp_auth_asoc_init_active_key(), the
    active_key is actually not updated. The old sh_key will be freeed
    while it's still used as active key in asoc. Then an use-after-free
    will be triggered when sending patckets, as found by syzbot:
    
      sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
      sctp_set_owner_w net/sctp/socket.c:132 [inline]
      sctp_sendmsg_to_asoc+0xbd5/0x1a20 net/sctp/socket.c:1863
      sctp_sendmsg+0x1053/0x1d50 net/sctp/socket.c:2025
      inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819
      sock_sendmsg_nosec net/socket.c:714 [inline]
      sock_sendmsg+0xcf/0x120 net/socket.c:734
    
    This patch is to fix it by not replacing the sh_key when it returns
    errors from sctp_auth_asoc_init_active_key() in sctp_auth_set_key().
    For sctp_auth_set_active_key(), old active_key_id will be set back
    to asoc->active_key_id when the same thing happens.
    
    Fixes: 58acd1009226 ("sctp: update active_key for asoc when old key is being replaced")
    Reported-by: syzbot+a236dd8e9622ed8954a3@xxxxxxxxxxxxxxxxxxxxxxxxx
    Signed-off-by: Xin Long <lucien.xin@xxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index db6b7373d16c..34964145514e 100644
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -863,12 +863,17 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
 	}
 
 	list_del_init(&shkey->key_list);
-	sctp_auth_shkey_release(shkey);
 	list_add(&cur_key->key_list, sh_keys);
 
-	if (asoc && asoc->active_key_id == auth_key->sca_keynumber)
-		sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL);
+	if (asoc && asoc->active_key_id == auth_key->sca_keynumber &&
+	    sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL)) {
+		list_del_init(&cur_key->key_list);
+		sctp_auth_shkey_release(cur_key);
+		list_add(&shkey->key_list, sh_keys);
+		return -ENOMEM;
+	}
 
+	sctp_auth_shkey_release(shkey);
 	return 0;
 }
 
@@ -902,8 +907,13 @@ int sctp_auth_set_active_key(struct sctp_endpoint *ep,
 		return -EINVAL;
 
 	if (asoc) {
+		__u16  active_key_id = asoc->active_key_id;
+
 		asoc->active_key_id = key_id;
-		sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL);
+		if (sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL)) {
+			asoc->active_key_id = active_key_id;
+			return -ENOMEM;
+		}
 	} else
 		ep->active_key_id = key_id;
 



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux