search

NixOS / security

MIT License
30 stars 12 forks source link

Roundup: [oss-security] Linux: CVE-2017-6353: sctp: deny peeloff operation on asocs with threads sleeping on it #127

Closed grahamc closed 7 years ago

grahamc commented 7 years ago

Here is a report from the oss-security mailing list for Vulnerability Roundup 27.

Skip to First Email

Instructions:

Identification

Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.

Example:

unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged

IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!

Patching

Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.

If you open a pull request, tag this issue and the master issue for the roundup.

If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:

fixed:

release-16.09: abc123

Skip to First Email

Upon Completion ...

Info

Triage Indicator:

-needs-triage +roundup27 thread:0000000000003e6b

Should the search term be changed from linux-kernel? Suggest a new package search by commenting:

-suggested:linux-kernel +suggested:correctPackageName thread:0000000000003e6b

Known CVEs: CVE-2017-5986, CVE-2017-6353

Skip to End

Mon, 27 Feb 2017 13:07:06 +0100 Salvatore Bonaccorso , 20170227120706.3entdizfnyz5iwrf@lorien.valinor.li
Hi

Via the CVE webform, MITRE has assigned CVE-2017-6353 for:

https://marc.info/?l=linux-netdev&m=148785309416337&w=2

>Subject:    [PATCH net] sctp: deny peeloff operation on asocs with threads sleeping on it
>From:       Marcelo Ricardo Leitner <marcelo.leitner () gmail ! com>
>Date:       2017-02-23 12:31:18
>
>commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
>attempted to avoid a BUG_ON call when the association being used for a
>sendmsg() is blocked waiting for more sndbuf and another thread did a
>peeloff operation on such asoc, moving it to another socket.
>
>As Ben Hutchings noticed, then in such case it would return without
>locking back the socket and would cause two unlocks in a row.
>
>Further analysis also revealed that it could allow a double free if the
>application managed to peeloff the asoc that is created during the
>sendmsg call, because then sctp_sendmsg() would try to free the asoc
>that was created only for that call.
>
>This patch takes another approach. It will deny the peeloff operation
>if there is a thread sleeping on the asoc, so this situation doesn't
>exist anymore. This avoids the issues described above and also honors
>the syscalls that are already being handled (it can be multiple sendmsg
>calls).
>
>Joint work with Xin Long.
>
>Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
>Cc: Alexander Popov <alex.popov@linux.com>
>Cc: Ben Hutchings <ben@decadent.org.uk>
>Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
>Signed-off-by: Xin Long <lucien.xin@gmail.com>
>---
>Hi, please consider this one for -stable too. Thanks
>
> net/sctp/socket.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
>diff --git a/net/sctp/socket.c b/net/sctp/socket.c
>index 1b5d669e30292a57ed57dd920d81be2a57f97b22..d04a8b66098c8a574642b026bff990ac64c21468 100644
>--- a/net/sctp/socket.c
>+++ b/net/sctp/socket.c
>@@ -4734,6 +4734,12 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
>   if (!asoc)
>       return -EINVAL;
> 
>+  /* If there is a thread waiting on more sndbuf space for
>+   * sending on this asoc, it cannot be peeled.
>+   */
>+  if (waitqueue_active(&asoc->wait))
>+      return -EBUSY;
>+
>   /* An association cannot be branched off from an already peeled-off
>    * socket, nor is this supported for tcp style sockets.
>    */
>@@ -7426,8 +7432,6 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
>        */
>       release_sock(sk);
>       current_timeo = schedule_timeout(current_timeo);
>-      if (sk != asoc->base.sk)
>-          goto do_error;
>       lock_sock(sk);
> 
>       *timeo_p = current_timeo;
>-- 
>2.9.3

This was found while reviewing the fix of CVE-2017-5986 (2dcab5984841
("sctp: avoid BUG_ON on sctp_wait_for_sndbuf"))

Regards,
Salvatore

Skip to End

grahamc commented 7 years ago

According to http://cve.circl.lu/cve/CVE-2017-5986, this applies to 4.9.11 and earlier.