From patchwork Tue Mar 15 13:26:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 551600 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D7BBC433F5 for ; Tue, 15 Mar 2022 13:26:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348631AbiCON1e (ORCPT ); Tue, 15 Mar 2022 09:27:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38786 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348629AbiCON1e (ORCPT ); Tue, 15 Mar 2022 09:27:34 -0400 Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BCD7A45791 for ; Tue, 15 Mar 2022 06:26:21 -0700 (PDT) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 22FCLLAJ024383 for ; Tue, 15 Mar 2022 13:26:21 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=7iNZZ7j/xe8sCCh6u0nHDQkmaFA1cloSksdtY93N3KM=; b=NEKbpawsuSs2UzGotgL9mmZvhym9OeT2OypRZK+GsGtrCQBoh8OMsGEWDFHj2EcOkyej /ZZqbGdLc1B+7Xsz60GTR/jhJqvxWJZIyCjLPTuMQDOjhkq6djTnLZAf7zJFmN+OEaaz Bg2cC0R+cmvRYBISvODi9KpLkCW9pCR4D2zSZTuRnleBAgVYXNJa6WvndT7NNqn+vjZj J4kgAg5hBjhhHVXJRyw5ZMk5P+CsT1moT/fvGNaGwszfW1YZ80BrriUr0uRJFg1y0jTk Akm6WlxNJWsnvz3SMhkASj2S6gmNcO4DVGBwSdFKdSd2kwE6piNSMuperdz5y2eLwV/7 nA== Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2042.outbound.protection.outlook.com [104.47.66.42]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3erjg7thyw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 15 Mar 2022 13:26:20 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q60oH4pdBpvYgQ8XsAcmzIT6seVmOqg2yDIb2+410A12yPUSVPeHNocLbJfWwILHR+w8ZZwRvhZMnvE1nSqrxp7j5XKyF7eU+mtSdzArK7tCNpuQAVwPO920kuQNJu3QAzA5uzPwgjFgWWgsM0T/xdoadmYx+ZZ1LB4wR/Cp8JdhPt4ut1KnCudgyFbzTPxEIs+2QKko+BUs2VlQysFn/x5rbvkCVwNDQrsX05vXsZIatGesJbUiUprPgIAGUEd7g0qF524bZtnlQ5LVwHWXTiS/u2dWOjRg2jm03KTzRNPUJMzoHwp+jd2Bpv2WrufNfSNpOcbve52vZJqU65Pp2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7iNZZ7j/xe8sCCh6u0nHDQkmaFA1cloSksdtY93N3KM=; b=I6LkXN0z3hmtJLrULeoY7Vpw4btzEWUNT0hPobxG4K0+5EZRKGabQIg6EU6GLw626rmthy73qYyElzqXX9zVqd11ysfKnTz3CXlOrE3vqipsEWrq8ma/0Wi6QGOm4j2aXG/1rV038KVVxGQ+4Bq6/zoX57wlt9jtaAXFypKwqmFeKqTXNsKN2k6sd/lvaIL8xokx8qA9t/zVe3HwwkhSCjlcLGWTTpnpYJda5q+cqyMypLOWIgoJ+XyrR4fCRc91F92oe/04dG/46H5SLNUe8Eu+jOvpAA+lAXNbWGq754QTYPWi8eornNUwPXWi7S27MoxvS/BKbApv2JfrIjdbyg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by BN7PR11MB2756.namprd11.prod.outlook.com (2603:10b6:406:b4::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.14; Tue, 15 Mar 2022 13:26:17 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::4ceb:e511:4a4e:17af]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::4ceb:e511:4a4e:17af%9]) with mapi id 15.20.5081.014; Tue, 15 Mar 2022 13:26:17 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Subject: [PATCH 4.14 1/2] sctp: fix the processing for INIT chunk Date: Tue, 15 Mar 2022 15:26:01 +0200 Message-Id: <20220315132602.2094562-1-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 X-ClientProxiedBy: VI1P189CA0032.EURP189.PROD.OUTLOOK.COM (2603:10a6:802:2a::45) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 05bab88d-bd3a-4a37-3abc-08da068762c2 X-MS-TrafficTypeDiagnostic: BN7PR11MB2756:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ZyAjUW5KdsDTRBJC7vaN6bkawdgp4Dys6wGp7BeCHfyApskE9eBNziaINoDT5BBBDyS8y0YhbiArGGbQzoe8JxUq3fa/n7oompt4XIvthQ5gSGzLeWqjHvsnRG0bYDkULE1ZG4rBasmdxoS8Oo1uobQ3xQunB0xOMX2+2NYe9kxFGf8BLGSjnhDTnuUWAzLFNlbPtRcLDrZlKmr5A09eslPb7gmoEGs8l3aJQsGdCdFrZQ4ccwtQtVxUOqbWQGsi+kondHayb2yBYZFqamQkU2S7DAdgb9fB+dfGqUd5rmC1oG1RJtuOZE8Wvrd6s6Pn980cScU/B57jXPZArdvegce/gtxo94WXZo+nB5Ft9B7EM7NjjlZOXeCfrkMw24te6hoXDiar6OuhdN7QUrZY5O0YidDEXOrkS2Itvu/Un/RXlbKPddhW4lFGlb1pmHXKIeIvOsCG7Wu8QMINQEzX9hkTM9/i9/rNb1f+t/Z3dV2nLlOfTP2ey6KKF+JbyiYAVqQS+HTFpHE5Cup0fyroDIX6TmBvskeBPLNXGDoJDdz1OEmEPs7+mBx71zOXwuQ8dfcf5U+bhV9OvDMa+02udubzJZ7LMo213akkspy6Ptlntp1gyHxyK7PW49FWJx3rjRkvyNlUbTP7aPc1nPY+/QmOUZsTxk8Xb0f4l9Kf9wRkvPIfWQCBkYnLedRxcUkerGPno4d5Uk9IijDfUlAtNA== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(186003)(38100700002)(6506007)(38350700002)(44832011)(66946007)(6486002)(8676002)(66556008)(66476007)(52116002)(508600001)(26005)(6512007)(2616005)(83380400001)(1076003)(6916009)(2906002)(5660300002)(316002)(6666004)(86362001)(8936002)(36756003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Do3QfqLqEs+SYmVzlDXfqKEW7O7KeJGwhxSETfvAKNlI2p3nII53NuU87dCszGDBU21tqrN7e9xbPZ85Oe78D9kzNuPPmz7W8GOIwL5+myQlp1pDhdm25yf0AVViHqoCQalZzeYA6GPZYrO+cOexTnhBsZtUj4qO8XzYTVgFUmjV4pEsUsfxXeiE6bHI5TwtzketaLZggVBrccSkg1awIoRbT0KxjevGwoiUSz3gGMuQ5Q6Ymgn8vll+KBQ6FuFXQf7ynUaZn3jiWRKedNGMoqcJRxQ16DR05ss8AbDUse6tzmc9MkQ8l/8yQZwq0XEsWwquqnAidEU0mkHa1inUAypocgni1hXlrR9ndaW6Jt1TQZjp38Tg72ho0THuynw6/Cc1sqInm40/PIs8iMthfl1RykSmXb/GeQ1H/RuyB61rQMizA/9MoHVkDvp/uFJDfc1uvmOv5Lfdl6uj6v/96BlC11ugZRHEIvtAIKZUGcbY3g7opd+Yp3cIJlzniJku49G1xv4ecmHCKx2tOCGrNUHOw5cKRTU2oSB6UaQJeeAxdkcNbHpRbU5+FswdJImOo3GXPVyoWvTjiTZyBQNPJzC5lqYrRwRsAhGm5tNsCbtOIk8NCaez/CNlaXLb3uzE2kuRMVPAZkfhctLww2nLvUJbjHtCobJawkIaXEKso9SVziXKPaaGt7xx1Am1+g9u04jlT2nGJiO8v7EhiENYNQBI4JfPbvLy0URF/FNo5Ur2y4iY++Ev9dIdmZSouEKa6ss8ZYrvYX+fnhz7wdR/B7rHvE0rATYkbC/IXUV77ePQmR6NjXWPhFO44IPIoaujcpLrT056ktlMyIy+LzXVuChWBVpMGpl/3BQzxpL27D2ZrCY2Slm6fWQk4f3dpiybOloPavNvesyEm/BWcHbdctAcXsv2rMhfS15KVzcAas6MFYZnL9ZKqcxITHWlg1HwXxWP7c+FpzR08gigRdEs7w1WLhbE8lcq2Qd13TwXptwlpx7e7lw39+lr4wZIvY2tQzFMuDDG8id+5eMDQiB0idALl2SVHZuLEWnPCFeUUzV/RG3WfDxya48e4ZD6U1xzxSmuY1hyWFVAHCFplkXNoJrsdVqc1ZrS5JvIMogrgPlB7/eeMB306botSwGw4RLeXAS8ABWuCv28ytO5qK13OGMOFokiudLMpmMtKpzG1JSnydgfDQROSTamTt6v5DGXZ4FSHMW3ycxpyoLX3ELrvpsaddyo6Sma6WskBOSgi/lCMBptlkK8SAeJIhQqi3q5UmTH2D3b9bxeqbHdxKz6ynO6u196QSyu5/NY655gPuXnM+j1OipnOBm8O1AZoqOxVtjG81lP0k2zSaBjJVXBSQOE7pfkJlZm11M0ORlcUWZ+MspdFhUwsg+FhiK7i1I65prPG6wa3Il54l2zrilTtULbxptGR2FFXNlE+kbqO1Q6D+MoTjxAkS1SvEKXQpunX8S+wfbwjyivyqNXZb7mFw== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 05bab88d-bd3a-4a37-3abc-08da068762c2 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Mar 2022 13:26:17.5156 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: bFw5zsl5z2u8WpcVwwfZ9sheZDmPrIndsHh6DpQfFn/hdnMx9Y5kwzdsGwiXBZFYReF4XIIawgwnURlgUaQy30ytLkPVcYi9e2rbg1QQrww= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2756 X-Proofpoint-ORIG-GUID: QN3mXmeomRwrjUexrnzVYhDjKx2c3nka X-Proofpoint-GUID: QN3mXmeomRwrjUexrnzVYhDjKx2c3nka X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.850,Hydra:6.0.425,FMLib:17.11.64.514 definitions=2022-03-15_03,2022-03-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 clxscore=1015 impostorscore=0 adultscore=0 malwarescore=0 spamscore=0 mlxscore=0 suspectscore=0 bulkscore=0 priorityscore=1501 lowpriorityscore=0 mlxlogscore=998 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203150086 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Xin Long commit eae5783908042a762c24e1bd11876edb91d314b1 upstream. This patch fixes the problems below: 1. In non-shutdown_ack_sent states: in sctp_sf_do_5_1B_init() and sctp_sf_do_5_2_2_dupinit(): chunk length check should be done before any checks that may cause to send abort, as making packet for abort will access the init_tag from init_hdr in sctp_ootb_pkt_new(). 2. In shutdown_ack_sent state: in sctp_sf_do_9_2_reshutack(): The same checks as does in sctp_sf_do_5_2_2_dupinit() is needed for sctp_sf_do_9_2_reshutack(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: Jakub Kicinski [OP: adjusted context for 4.14] Signed-off-by: Ovidiu Panait --- CVE-2021-3772 patchset consists of 7 fixes: [1] 4f7019c7eb33 ("sctp: use init_tag from inithdr for ABORT chunk") [2] eae578390804 ("sctp: fix the processing for INIT chunk") [3] 438b95a7c98f ("sctp: fix the processing for INIT_ACK chunk") [4] a64b341b8695 ("sctp: fix the processing for COOKIE_ECHO chunk") [5] aa0f697e4528 ("sctp: add vtag check in sctp_sf_violation") [6] ef16b1734f0a ("sctp: add vtag check in sctp_sf_do_8_5_1_E_sa") [7] 9d02831e517a ("sctp: add vtag check in sctp_sf_ootb") This series contains backports for [2] and [3], which are the only fixes missing from 4.14-stable. Only small contextual adjustments were made. net/sctp/sm_statefuns.c | 71 ++++++++++++++++++++++++++--------------- 1 file changed, 46 insertions(+), 25 deletions(-) diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index b26067798dbf..91aecc3449d2 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -161,6 +161,12 @@ static enum sctp_disposition __sctp_sf_do_9_1_abort( void *arg, struct sctp_cmd_seq *commands); +static enum sctp_disposition +__sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, + const struct sctp_association *asoc, + const union sctp_subtype type, void *arg, + struct sctp_cmd_seq *commands); + /* Small helper function that checks if the chunk length * is of the appropriate length. The 'required_length' argument * is set to be the size of a specific chunk we are testing. @@ -337,6 +343,14 @@ enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net, if (!chunk->singleton) return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* Make sure that the INIT chunk has a valid length. + * Normally, this would cause an ABORT with a Protocol Violation + * error, but since we don't have an association, we'll + * just discard the packet. + */ + if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* If the packet is an OOTB packet which is temporarily on the * control endpoint, respond with an ABORT. */ @@ -351,14 +365,6 @@ enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net, if (chunk->sctp_hdr->vtag != 0) return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); - /* Make sure that the INIT chunk has a valid length. - * Normally, this would cause an ABORT with a Protocol Violation - * error, but since we don't have an association, we'll - * just discard the packet. - */ - if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) - return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); - /* If the INIT is coming toward a closing socket, we'll send back * and ABORT. Essentially, this catches the race of INIT being * backloged to the socket at the same time as the user isses close(). @@ -1460,19 +1466,16 @@ static enum sctp_disposition sctp_sf_do_unexpected_init( if (!chunk->singleton) return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* Make sure that the INIT chunk has a valid length. */ + if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* 3.1 A packet containing an INIT chunk MUST have a zero Verification * Tag. */ if (chunk->sctp_hdr->vtag != 0) return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); - /* Make sure that the INIT chunk has a valid length. - * In this case, we generate a protocol violation since we have - * an association established. - */ - if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) - return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, - commands); /* Grab the INIT header. */ chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data; @@ -1787,9 +1790,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_a( * its peer. */ if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) { - disposition = sctp_sf_do_9_2_reshutack(net, ep, asoc, - SCTP_ST_CHUNK(chunk->chunk_hdr->type), - chunk, commands); + disposition = __sctp_sf_do_9_2_reshutack(net, ep, asoc, + SCTP_ST_CHUNK(chunk->chunk_hdr->type), + chunk, commands); if (SCTP_DISPOSITION_NOMEM == disposition) goto nomem; @@ -2847,13 +2850,11 @@ enum sctp_disposition sctp_sf_do_9_2_shut_ctsn( * that belong to this association, it should discard the INIT chunk and * retransmit the SHUTDOWN ACK chunk. */ -enum sctp_disposition sctp_sf_do_9_2_reshutack( - struct net *net, - const struct sctp_endpoint *ep, - const struct sctp_association *asoc, - const union sctp_subtype type, - void *arg, - struct sctp_cmd_seq *commands) +static enum sctp_disposition +__sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, + const struct sctp_association *asoc, + const union sctp_subtype type, void *arg, + struct sctp_cmd_seq *commands) { struct sctp_chunk *chunk = arg; struct sctp_chunk *reply; @@ -2887,6 +2888,26 @@ enum sctp_disposition sctp_sf_do_9_2_reshutack( return SCTP_DISPOSITION_NOMEM; } +enum sctp_disposition +sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep, + const struct sctp_association *asoc, + const union sctp_subtype type, void *arg, + struct sctp_cmd_seq *commands) +{ + struct sctp_chunk *chunk = arg; + + if (!chunk->singleton) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + + if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk))) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + + if (chunk->sctp_hdr->vtag != 0) + return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands); + + return __sctp_sf_do_9_2_reshutack(net, ep, asoc, type, arg, commands); +} + /* * sctp_sf_do_ecn_cwr * From patchwork Tue Mar 15 13:25:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 551601 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7DD63C433F5 for ; Tue, 15 Mar 2022 13:25:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232315AbiCON0p (ORCPT ); Tue, 15 Mar 2022 09:26:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38032 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236768AbiCON0p (ORCPT ); Tue, 15 Mar 2022 09:26:45 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 48CCD41312 for ; Tue, 15 Mar 2022 06:25:33 -0700 (PDT) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 22FBakOo002660 for ; Tue, 15 Mar 2022 06:25:33 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=H3YeaypH+0hwSB0aOvTxnvTzTSeq1kfmVPhFihFFFfw=; b=TsOlap0HKKok0MxshgVNiqmdMfO7DUhA3KGcWb1swcxbfqJMZf0oqJ7b+zkvpOs1A8t4 TOFig2f4C77fnmsyjc5nqEwqzzTCrx595keig0EBprLiDyWgGp9taSXVqjQIHffeAjoE jEKfJhhDQClS7tkCMdEgIaRyMqybk4iE/jvWVzms86OP2XowYDTLDlohts6BLjERC1hx K0tT9jLC7WXEeClCwzspWTDPSKwc5GYkRraUDuxlqnZqPw/00rTdS0QFXN0FS+7BPdIh sj7+Gfp01eeTuoITM67Bth6Cb8xOAw3RbT/KnYHogbjl4GS2EvWlLb8S0GY40woTu33z ag== Received: from nam02-bn1-obe.outbound.protection.outlook.com (mail-bn1nam07lp2047.outbound.protection.outlook.com [104.47.51.47]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3esq04sgbe-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 15 Mar 2022 06:25:32 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jvQDPIafW9D4wltE0gupUADSvkfNeeVeChIjcANWeqvIHvajwgtH7SsNwGLTNu7eGvRxyq+jS0Gz0Pc22vwJmEnNwWU2ykR1lfS5zu5ElMgX4Sy6f0nUjPKZZXBq+H+65NxCFi5CCjlyHxx7l3pMtvQopPj148FzKuDyp3mDzucWwlK3sz5QKujbMw27++3jUWfdLNDPF5sq7JTaeJz1OzoyQbQjkHDEul3l/FyCPa1knVbRQHe+0z9jGtIwdv2D0oqn6p/GduvWs5rRbolCFV1ktnoR+8iwOhZ9JBBiL4sDk4lnj29wmVLtL3XfaRTVLgezSUqhhmlZ99nEpWg2WA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=H3YeaypH+0hwSB0aOvTxnvTzTSeq1kfmVPhFihFFFfw=; b=dHnKQ+iPvBlAWSLpOGsBS4oWLOz50dibC/7L0T/ncbHFoGKGpgyDT+Jd2dzhBP/pzm1rtcuMUJtWd0E3dWoVMFL+dcDDGNTzCfIVy7x3jgcWjEw9AgOs0HWNiDyUoa+/OxsrJQCNsD8qbuhU7T11S+b559pUsOmTzL6UprXTh54Y6NtmEAHyv17Y4MRv0A86lcm5p6HID/ElKp7XuQR7Dpsi1wxT1gxkDpxrOS8R+EsDWCDCHLDNqxA9ZHbO9P64OBX5MFRrfTk8JKRDXy7C22QojeZ0loK/DPaoWlI3jhZx0mgDldpk1wsuyNZr10IHvbGD2Y0j+7BbWy3tDyCG6Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by BN7PR11MB2756.namprd11.prod.outlook.com (2603:10b6:406:b4::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.14; Tue, 15 Mar 2022 13:25:26 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::4ceb:e511:4a4e:17af]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::4ceb:e511:4a4e:17af%9]) with mapi id 15.20.5081.014; Tue, 15 Mar 2022 13:25:26 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Subject: [PATCH 4.19 2/2] sctp: fix the processing for INIT_ACK chunk Date: Tue, 15 Mar 2022 15:25:10 +0200 Message-Id: <20220315132510.2088935-2-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220315132510.2088935-1-ovidiu.panait@windriver.com> References: <20220315132510.2088935-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1PR07CA0194.eurprd07.prod.outlook.com (2603:10a6:802:3f::18) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 2a8234e9-8c2d-46a5-575e-08da068743f7 X-MS-TrafficTypeDiagnostic: BN7PR11MB2756:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: IJYwqRVK99LNOuE7cuwAKMr65aQwh/ygUr7oa1wXoYQnBn15Oh771WQTSf1fzka8sNXXFEfY0zWHjiQqr7xHlj/uLr9rFRmA4nMa0zH2b2ZLUxUSdqqhCVWceAF9AB0BASK0ME3RnobI6Nlpvfc1KPS2QLF5sOA6XX5YMBCzufSB1N0rsf6aIrdSqvf5jpzxuwW12iFTAHg6SeroB268Lmvm7rbIh6vHupl9mjeFedIWXsfivceKovjKVWkXHUcaoxQbk/J0R/161MOEkFvyoxAYI+6Dy8WguVo21VudyKMdMqx5X6GP2eaf3TPQbsgyWNsTTCp1M6s2L9hJ8IqdK5RQm4sXOa44ju71vd0n5J7ijigM9qhkaxXUvUUP8HnbdHcUo7pVEPrwLqAlGzRjS0Qp/womENkQHVz79oCrXkmPLEQ7A53ZxH2nL6vjssGsrsrv2x6Hf2DeAVNhBxRHo1OrZw6zLCnxzMfMb26Ki+TIY54OY35BAF/f5vSNun0e0pQp26kmw5C35Js2jS3Ri5VnUlDhGDCUb7n/mvzcnPsPcmIXrnpQns79TPWDjMFtuHo6RUfqEKvUFB6QQwt2xZic6ykGybE8Q63vbnQEv52ESROJFN/3kCu5V3HiB9h45RZDYdGZq3OxBsh3enuJSLAyX/mRU/Yi+TUA2nld+iSPjXyNEx3jwslwtrNkrncS1P8+RHEPqDeZk/ofBE/ivg== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(186003)(38100700002)(6506007)(38350700002)(44832011)(66946007)(6486002)(8676002)(66556008)(66476007)(52116002)(508600001)(26005)(6512007)(2616005)(83380400001)(1076003)(6916009)(2906002)(5660300002)(316002)(6666004)(86362001)(8936002)(36756003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: HSOiP/BQaDE/F+zM6KYrV6aCMl0E42RR6dmR9ZUeJ66dhBxlpVhnVSCWUyXuGa1qvq/VPjEZ/5lyNUcRB3UtTeg5hs/2ctJa65rmKPGZsLQkLtudfmL9DTmAZI8fktEqtnEu8pEkk62GIMyjtpKWXTcEhCvY+VP1xL8kVdYO77qRTUChNrV2dj2WJm/k1F4n0myOPjZ0i3YFDTLElKKzOJlwqzM1Z8nU8Sy5jsf8if3LQij/RcNXyVPXNIdMM5HMU3wTeZn7L5/T8uTJ1okwldOifxSB9FwJ4dhoDyQDJSfD6aDJwXC4yFTAI4Soc4e+kD+hnscOhcX5ex+i91ZwbFo1KQx7ufukM7uFO7N6mqgZyoXSOtx3yvKpW+9GO/koQtRRfOIjSDwlkk+LcdnRuWjqWgAEMRvXODaVExyXxsuGvElKHSai+9XVkXHk5GrgLEfLYrPC+JqFDFjRI9Z/SYqK75h2F0HDWmEUCc42GeWYuVSgJa36Pa09QL/0pZgMydQpUxWnX5iBSh7MKumtdsPM+YfA1yqnG4Khue/z61lVR98XqH56wb0U+23DRSeBqM+WBvPQXJ2n++JmeojOkCQ1vVEgBVLWfV787qIXJEAGrODmX1nyEhTEjx+pyjXhg9Dd8UjO2x/5Xz+r6gI8FaaoXlY9PmxVbWuousz3atwFcgcDNEtcrJwDVM362Co832Lb9U5DGqHH4MT/xpjDm9lUQWxpchJs5xVmz/D9ePYOhB0t2OYBiCHPB/v/rlDUiw21hhW6u7zJva5c5sFk2FtxC1bGMGainzNtWRC3FlxOiUyhjzbn9bNyUiDkPwkyn81Izp07uihQpE5kYOJkb6ROIqbr4ij9+7hpZUwRV90a/du1EIeHpCHFYNFwllr7nucrDQj/dFHrBwDFd7i4wUptlooDIwsVMs8vokg+7GcLdpjvzV30OMesqJ9ytY0iTheBgBC9X5gY9KEgAd3c+4hU1eAD7Blc2xLQk+DQpF0F1KwDrj+rVfQQ7ZAsfa6HB1vRV3ZfXRTrB0xDmjA6HPr5FIsft+WJ4SzMtLR5Hc/Ej9DPQjSlwoGTVaWvjQSXvfJaClIw1hQIQnMFNMz764v0P95lhMt/NaqLgZ1tFzzI24z9q9ULi5a0ZEM/kO1o0tRPDbR02KNzQFKzg29zt/IClVr64thiTC1SruNstxxIRVJnq4LpAoVdY1EvgVMQ15LmFIhMKP1tukSIfMQSvGBDjig7f7Fz9V/QLexV+elzCjioQwN4QFV4ketTFmqnUdfAsF2VFBEJns5L4LWsg3g28aRr7YTwrSA8N7RuBnk3g0wvr5eoIX1t3CFU3q98dZ4MLsHna3hASs+vOmKb2MIpDBRzQdifHSJq6+eh+m+4WQL4Mdy3INYrYGW5J19hWvQU/v2UlucqvBfRD3IlAIn2+p63BsEpBKCLFZOEeBzJjJ8OlovMBl3mM9v98xju4i+8/uN8EpNheYTOJAPwZQ== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2a8234e9-8c2d-46a5-575e-08da068743f7 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Mar 2022 13:25:25.8855 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: GLhMNKGo9PCsqdtFtsSWNjfdPJreadUVLNUTWcbdRYRbDcaqgXdyR9LpVE+2/6stWY+8DXMFHA0NOsPqHQJ3vqtCJidFzsAWPgiATu7UlSk= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2756 X-Proofpoint-GUID: -8D2J4cQCb05N4Z_vZkTkVqHzs_w55-l X-Proofpoint-ORIG-GUID: -8D2J4cQCb05N4Z_vZkTkVqHzs_w55-l X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.850,Hydra:6.0.425,FMLib:17.11.64.514 definitions=2022-03-15_03,2022-03-15_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 mlxscore=0 impostorscore=0 mlxlogscore=999 lowpriorityscore=0 bulkscore=0 malwarescore=0 adultscore=0 spamscore=0 priorityscore=1501 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203150087 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Xin Long commit 438b95a7c98f77d51cbf4db021f41b602d750a3f upstream. Currently INIT_ACK chunk in non-cookie_echoed state is processed in sctp_sf_discard_chunk() to send an abort with the existent asoc's vtag if the chunk length is not valid. But the vtag in the chunk's sctphdr is not verified, which may be exploited by one to cook a malicious chunk to terminal a SCTP asoc. sctp_sf_discard_chunk() also is called in many other places to send an abort, and most of those have this problem. This patch is to fix it by sending abort with the existent asoc's vtag only if the vtag from the chunk's sctphdr is verified in sctp_sf_discard_chunk(). Note on sctp_sf_do_9_1_abort() and sctp_sf_shutdown_pending_abort(), the chunk length has been verified before sctp_sf_discard_chunk(), so replace it with sctp_sf_discard(). On sctp_sf_do_asconf_ack() and sctp_sf_do_asconf(), move the sctp_chunk_length_valid check ahead of sctp_sf_discard_chunk(), then replace it with sctp_sf_discard(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: Jakub Kicinski [OP: adjusted context for 4.19] Signed-off-by: Ovidiu Panait --- net/sctp/sm_statefuns.c | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 5e17df88df5d..3d52431dea9b 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -2304,7 +2304,7 @@ enum sctp_disposition sctp_sf_shutdown_pending_abort( */ if (SCTP_ADDR_DEL == sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) - return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); if (!sctp_err_chunk_valid(chunk)) return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); @@ -2350,7 +2350,7 @@ enum sctp_disposition sctp_sf_shutdown_sent_abort( */ if (SCTP_ADDR_DEL == sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) - return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); if (!sctp_err_chunk_valid(chunk)) return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); @@ -2620,7 +2620,7 @@ enum sctp_disposition sctp_sf_do_9_1_abort( */ if (SCTP_ADDR_DEL == sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) - return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); if (!sctp_err_chunk_valid(chunk)) return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); @@ -3787,6 +3787,11 @@ enum sctp_disposition sctp_sf_do_asconf(struct net *net, return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); } + /* Make sure that the ASCONF ADDIP chunk has a valid length. */ + if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk))) + return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, + commands); + /* ADD-IP: Section 4.1.1 * This chunk MUST be sent in an authenticated way by using * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk @@ -3794,13 +3799,7 @@ enum sctp_disposition sctp_sf_do_asconf(struct net *net, * described in [I-D.ietf-tsvwg-sctp-auth]. */ if (!net->sctp.addip_noauth && !chunk->auth) - return sctp_sf_discard_chunk(net, ep, asoc, type, arg, - commands); - - /* Make sure that the ASCONF ADDIP chunk has a valid length. */ - if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk))) - return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, - commands); + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); hdr = (struct sctp_addiphdr *)chunk->skb->data; serial = ntohl(hdr->serial); @@ -3929,6 +3928,12 @@ enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net, return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); } + /* Make sure that the ADDIP chunk has a valid length. */ + if (!sctp_chunk_length_valid(asconf_ack, + sizeof(struct sctp_addip_chunk))) + return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, + commands); + /* ADD-IP, Section 4.1.2: * This chunk MUST be sent in an authenticated way by using * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk @@ -3936,14 +3941,7 @@ enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net, * described in [I-D.ietf-tsvwg-sctp-auth]. */ if (!net->sctp.addip_noauth && !asconf_ack->auth) - return sctp_sf_discard_chunk(net, ep, asoc, type, arg, - commands); - - /* Make sure that the ADDIP chunk has a valid length. */ - if (!sctp_chunk_length_valid(asconf_ack, - sizeof(struct sctp_addip_chunk))) - return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, - commands); + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data; rcvd_serial = ntohl(addip_hdr->serial); @@ -4515,6 +4513,9 @@ enum sctp_disposition sctp_sf_discard_chunk(struct net *net, { struct sctp_chunk *chunk = arg; + if (asoc && !sctp_vtag_verify(chunk, asoc)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* Make sure that the chunk has a valid length. * Since we don't know the chunk type, we use a general * chunkhdr structure to make a comparison.