Message ID | 035e28d623263b9c3ccbbea689883d6437aa5aa0.1664388613.git.lucien.xin@gmail.com (mailing list archive) |
---|---|
State | Accepted |
Commit | 022152aaebe116a25c39818a07e175a8cd3c1e11 |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [net] sctp: handle the error returned from sctp_auth_asoc_init_active_key | expand |
Hello: This patch was applied to netdev/net.git (master) by David S. Miller <davem@davemloft.net>: On Wed, 28 Sep 2022 14:10:13 -0400 you wrote: > When it returns an error from sctp_auth_asoc_init_active_key(), the > active_key is actually not updated. The old sh_key will be freeed > while it's still used as active key in asoc. Then an use-after-free > will be triggered when sending patckets, as found by syzbot: > > sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 > sctp_set_owner_w net/sctp/socket.c:132 [inline] > sctp_sendmsg_to_asoc+0xbd5/0x1a20 net/sctp/socket.c:1863 > sctp_sendmsg+0x1053/0x1d50 net/sctp/socket.c:2025 > inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819 > sock_sendmsg_nosec net/socket.c:714 [inline] > sock_sendmsg+0xcf/0x120 net/socket.c:734 > > [...] Here is the summary with links: - [net] sctp: handle the error returned from sctp_auth_asoc_init_active_key https://git.kernel.org/netdev/net/c/022152aaebe1 You are awesome, thank you!
diff --git a/net/sctp/auth.c b/net/sctp/auth.c index db6b7373d16c..34964145514e 100644 --- a/net/sctp/auth.c +++ b/net/sctp/auth.c @@ -863,12 +863,17 @@ int sctp_auth_set_key(struct sctp_endpoint *ep, } list_del_init(&shkey->key_list); - sctp_auth_shkey_release(shkey); list_add(&cur_key->key_list, sh_keys); - if (asoc && asoc->active_key_id == auth_key->sca_keynumber) - sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL); + if (asoc && asoc->active_key_id == auth_key->sca_keynumber && + sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL)) { + list_del_init(&cur_key->key_list); + sctp_auth_shkey_release(cur_key); + list_add(&shkey->key_list, sh_keys); + return -ENOMEM; + } + sctp_auth_shkey_release(shkey); return 0; } @@ -902,8 +907,13 @@ int sctp_auth_set_active_key(struct sctp_endpoint *ep, return -EINVAL; if (asoc) { + __u16 active_key_id = asoc->active_key_id; + asoc->active_key_id = key_id; - sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL); + if (sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL)) { + asoc->active_key_id = active_key_id; + return -ENOMEM; + } } else ep->active_key_id = key_id;
When it returns an error from sctp_auth_asoc_init_active_key(), the active_key is actually not updated. The old sh_key will be freeed while it's still used as active key in asoc. Then an use-after-free will be triggered when sending patckets, as found by syzbot: sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 sctp_set_owner_w net/sctp/socket.c:132 [inline] sctp_sendmsg_to_asoc+0xbd5/0x1a20 net/sctp/socket.c:1863 sctp_sendmsg+0x1053/0x1d50 net/sctp/socket.c:2025 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:734 This patch is to fix it by not replacing the sh_key when it returns errors from sctp_auth_asoc_init_active_key() in sctp_auth_set_key(). For sctp_auth_set_active_key(), old active_key_id will be set back to asoc->active_key_id when the same thing happens. Fixes: 58acd1009226 ("sctp: update active_key for asoc when old key is being replaced") Reported-by: syzbot+a236dd8e9622ed8954a3@syzkaller.appspotmail.com Signed-off-by: Xin Long <lucien.xin@gmail.com> --- net/sctp/auth.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-)