mbox series

[net,0/7] sctp: enhancements for the verification tag

Message ID cover.1634730082.git.lucien.xin@gmail.com (mailing list archive)
Headers show
Series sctp: enhancements for the verification tag | expand

Message

Xin Long Oct. 20, 2021, 11:42 a.m. UTC
This patchset is to address CVE-2021-3772:

  A flaw was found in the Linux SCTP stack. A blind attacker may be able to
  kill an existing SCTP association through invalid chunks if the attacker
  knows the IP-addresses and port numbers being used and the attacker can
  send packets with spoofed IP addresses.

This is caused by the missing VTAG verification for the received chunks
and the incorrect vtag for the ABORT used to reply to these invalid
chunks.

This patchset is to go over all processing functions for the received
chunks and do:

1. Make sure sctp_vtag_verify() is called firstly to verify the vtag from
   the received chunk and discard this chunk if it fails. With some
   exceptions:

   a. sctp_sf_do_5_1B_init()/5_2_2_dupinit()/9_2_reshutack(), processing
      INIT chunk, as sctphdr vtag is always 0 in INIT chunk.

   b. sctp_sf_do_5_2_4_dupcook(), processing dupicate COOKIE_ECHO chunk,
      as the vtag verification will be done by sctp_tietags_compare() and
      then it takes right actions according to the return.

   c. sctp_sf_shut_8_4_5(), processing SHUTDOWN_ACK chunk for cookie_wait
      and cookie_echoed state, as RFC demand sending a SHUTDOWN_COMPLETE
      even if the vtag verification failed.

   d. sctp_sf_ootb(), called in many types of chunks for closed state or
      no asoc, as the same reason to c.

2. Always use the vtag from the received INIT chunk to make the response
   ABORT in sctp_ootb_pkt_new().

3. Fix the order for some checks and add some missing checks for the
   received chunk.

This patch series has been tested with SCTP TAHI testing to make sure no
regression caused on protocol conformance.

Xin Long (7):
  sctp: use init_tag from inithdr for ABORT chunk
  sctp: fix the processing for INIT chunk
  sctp: fix the processing for INIT_ACK chunk
  sctp: fix the processing for COOKIE_ECHO chunk
  sctp: add vtag check in sctp_sf_violation
  sctp: add vtag check in sctp_sf_do_8_5_1_E_sa
  sctp: add vtag check in sctp_sf_ootb

 net/sctp/sm_statefuns.c | 139 ++++++++++++++++++++++++----------------
 1 file changed, 85 insertions(+), 54 deletions(-)

Comments

Marcelo Ricardo Leitner Oct. 20, 2021, 11:23 p.m. UTC | #1
On Wed, Oct 20, 2021 at 07:42:40AM -0400, Xin Long wrote:
> This patchset is to address CVE-2021-3772:
> 
>   A flaw was found in the Linux SCTP stack. A blind attacker may be able to
>   kill an existing SCTP association through invalid chunks if the attacker
>   knows the IP-addresses and port numbers being used and the attacker can
>   send packets with spoofed IP addresses.

Please give me tomorrow to review it.

Thanks,
Marcelo
Marcelo Ricardo Leitner Oct. 22, 2021, 1:45 a.m. UTC | #2
On Wed, Oct 20, 2021 at 07:42:40AM -0400, Xin Long wrote:
> This patchset is to address CVE-2021-3772:
> 
>   A flaw was found in the Linux SCTP stack. A blind attacker may be able to
>   kill an existing SCTP association through invalid chunks if the attacker
>   knows the IP-addresses and port numbers being used and the attacker can
>   send packets with spoofed IP addresses.
> 
> This is caused by the missing VTAG verification for the received chunks
> and the incorrect vtag for the ABORT used to reply to these invalid
> chunks.
> 
> This patchset is to go over all processing functions for the received
> chunks and do:
> 
...
> 
> This patch series has been tested with SCTP TAHI testing to make sure no
> regression caused on protocol conformance.

Nice!

Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Jakub Kicinski Oct. 22, 2021, 11:38 p.m. UTC | #3
On Thu, 21 Oct 2021 22:45:37 -0300 Marcelo Ricardo Leitner wrote:
> On Wed, Oct 20, 2021 at 07:42:40AM -0400, Xin Long wrote:
> > This patchset is to address CVE-2021-3772:
> > 
> >   A flaw was found in the Linux SCTP stack. A blind attacker may be able to
> >   kill an existing SCTP association through invalid chunks if the attacker
> >   knows the IP-addresses and port numbers being used and the attacker can
> >   send packets with spoofed IP addresses.
> > 
> > This is caused by the missing VTAG verification for the received chunks
> > and the incorrect vtag for the ABORT used to reply to these invalid
> > chunks.
> > 
> > This patchset is to go over all processing functions for the received
> > chunks and do:
> >   
> ...
> > 
> > This patch series has been tested with SCTP TAHI testing to make sure no
> > regression caused on protocol conformance.  
>  
> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>

Applied, thanks.