redonkable
/
alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/net/sctp
History
Xin Long cbf89ebfc0 sctp: fully initialize v4 addr in some functions 
[ Upstream commit b6f3320b1d ]

Syzbot found a crash:

  BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:112 [inline]
  BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline]
  BUG: KMSAN: uninit-value in __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202
  Call Trace:
    crc32_body lib/crc32.c:112 [inline]
    crc32_le_generic lib/crc32.c:179 [inline]
    __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202
    chksum_update+0xb2/0x110 crypto/crc32c_generic.c:90
    crypto_shash_update+0x4c5/0x530 crypto/shash.c:107
    crc32c+0x150/0x220 lib/libcrc32c.c:47
    sctp_csum_update+0x89/0xa0 include/net/sctp/checksum.h:36
    __skb_checksum+0x1297/0x12a0 net/core/skbuff.c:2640
    sctp_compute_cksum include/net/sctp/checksum.h:59 [inline]
    sctp_packet_pack net/sctp/output.c:528 [inline]
    sctp_packet_transmit+0x40fb/0x4250 net/sctp/output.c:597
    sctp_outq_flush_transports net/sctp/outqueue.c:1146 [inline]
    sctp_outq_flush+0x1823/0x5d80 net/sctp/outqueue.c:1194
    sctp_outq_uncork+0xd0/0xf0 net/sctp/outqueue.c:757
    sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1781 [inline]
    sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline]
    sctp_do_sm+0x8fe1/0x9720 net/sctp/sm_sideeffect.c:1155
    sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185
    sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433
    sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline]
    sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672

The issue was caused by transport->ipaddr set with uninit addr param, which
was passed by:

  sctp_transport_init net/sctp/transport.c:47 [inline]
  sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100
  sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611
  sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline]

where 'addr' is set by sctp_v4_from_addr_param(), and it doesn't initialize
the padding of addr->v4.

Later when calling sctp_make_heartbeat(), hbinfo.daddr(=transport->ipaddr)
will become the part of skb, and the issue occurs.

This patch is to fix it by initializing the padding of addr->v4 in
sctp_v4_from_addr_param(), as well as other functions that do the similar
thing, and these functions shouldn't trust that the caller initializes the
memory, as Marcelo suggested.

Reported-by: syzbot+6dcbfea81cd3d4dd0b02@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2019-12-31 16:41:35 +01:00
..
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
Makefile sctp: rename sctp_diag.c as diag.c 2018-02-13 13:56:31 -05:00
associola.c sctp: cache netns in sctp_ep_common 2019-12-04 22:30:57 +01:00
auth.c sctp: add sctp_auth_init and sctp_auth_free 2019-08-19 18:27:29 -07:00
bind_addr.c sctp: remove rcu_read_lock from sctp_bind_addr_state 2019-07-08 20:18:11 -07:00
chunk.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
debug.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
diag.c net: silence KCSAN warnings about sk->sk_backlog.len reads 2019-10-09 21:43:00 -07:00
endpointola.c sctp: cache netns in sctp_ep_common 2019-12-04 22:30:57 +01:00
input.c sctp: cache netns in sctp_ep_common 2019-12-04 22:30:57 +01:00
inqueue.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
ipv6.c net: ipv6: add net argument to ip6_dst_lookup_flow 2019-12-18 16:08:40 +01:00
objcnt.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
offload.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-07 11:00:14 -07:00
output.c sctp: count data bundling sack chunk for outctrlchunks 2019-07-03 11:41:24 -07:00
outqueue.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
primitive.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
proc.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
protocol.c sctp: fully initialize v4 addr in some functions 2019-12-31 16:41:35 +01:00
sm_make_chunk.c net: sctp: Rename fallthrough label to unhandled 2019-10-11 09:26:05 -07:00
sm_sideeffect.c sctp: use transport pf_retrans in sctp_do_8_2_transport_strike 2019-09-05 00:29:21 +02:00
sm_statefuns.c sctp: Fix memory leak in sctp_sf_do_5_2_4_dupcook 2019-12-04 22:30:55 +01:00
sm_statetable.c sctp: remove net sctp.x_enable working as a global switch 2019-08-19 18:27:29 -07:00
socket.c inet: stop leaking jiffies on the wire 2019-11-01 14:57:52 -07:00
stream.c sctp: fix memleak on err handling of stream initialization 2019-12-31 16:41:34 +01:00
stream_interleave.c sctp: rename asoc intl_enable to asoc peer.intl_capable 2019-07-08 20:16:25 -07:00
stream_sched.c sctp: rename asoc intl_enable to asoc peer.intl_capable 2019-07-08 20:16:25 -07:00
stream_sched_prio.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
stream_sched_rr.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
sysctl.c sctp: allow users to set netns ecn flag with sysctl 2019-08-27 20:54:14 -07:00
transport.c sctp: only copy the available addr data in sctp_transport_init 2019-07-30 14:18:14 -07:00
tsnmap.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
ulpevent.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00
ulpqueue.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 104 2019-05-24 17:39:00 +02:00