Patch "sctp: fail if no bound addresses can be used for a given scope" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 29 Jan 2023 22:58:23 -0500

This is a note to let you know that I've just added the patch titled

    sctp: fail if no bound addresses can be used for a given scope

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 6842cdc1dcc72b9f13a5803367ae0a86672dbf77
Author: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx>
Date:   Mon Jan 23 14:59:33 2023 -0300

    sctp: fail if no bound addresses can be used for a given scope
    
    [ Upstream commit 458e279f861d3f61796894cd158b780765a1569f ]
    
    Currently, if you bind the socket to something like:
            servaddr.sin6_family = AF_INET6;
            servaddr.sin6_port = htons(0);
            servaddr.sin6_scope_id = 0;
            inet_pton(AF_INET6, "::1", &servaddr.sin6_addr);
    
    And then request a connect to:
            connaddr.sin6_family = AF_INET6;
            connaddr.sin6_port = htons(20000);
            connaddr.sin6_scope_id = if_nametoindex("lo");
            inet_pton(AF_INET6, "fe88::1", &connaddr.sin6_addr);
    
    What the stack does is:
     - bind the socket
     - create a new asoc
     - to handle the connect
       - copy the addresses that can be used for the given scope
       - try to connect
    
    But the copy returns 0 addresses, and the effect is that it ends up
    trying to connect as if the socket wasn't bound, which is not the
    desired behavior. This unexpected behavior also allows KASLR leaks
    through SCTP diag interface.
    
    The fix here then is, if when trying to copy the addresses that can
    be used for the scope used in connect() it returns 0 addresses, bail
    out. This is what TCP does with a similar reproducer.
    
    Reported-by: Pietro Borrello <borrello@xxxxxxxxxxxxxxxx>
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx>
    Reviewed-by: Xin Long <lucien.xin@xxxxxxxxx>
    Link: https://lore.kernel.org/r/9fcd182f1099f86c6661f3717f63712ddd1c676c.1674496737.git.marcelo.leitner@xxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/sctp/bind_addr.c b/net/sctp/bind_addr.c
index 59e653b528b1..6b95d3ba8fe1 100644
--- a/net/sctp/bind_addr.c
+++ b/net/sctp/bind_addr.c
@@ -73,6 +73,12 @@ int sctp_bind_addr_copy(struct net *net, struct sctp_bind_addr *dest,
 		}
 	}
 
+	/* If somehow no addresses were found that can be used with this
+	 * scope, it's an error.
+	 */
+	if (list_empty(&dest->address_list))
+		error = -ENETUNREACH;
+
 out:
 	if (error)
 		sctp_bind_addr_clean(dest);






