linux-stable/net
Daniel Borkmann 1abd165ed7 net: sctp: fix NULL pointer dereference in socket destruction
While stress testing sctp sockets, I hit the following panic:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
IP: [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
PGD 7cead067 PUD 7ce76067 PMD 0
Oops: 0000 [#1] SMP
Modules linked in: sctp(F) libcrc32c(F) [...]
CPU: 7 PID: 2950 Comm: acc Tainted: GF            3.10.0-rc2+ #1
Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011
task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000
RIP: 0010:[<ffffffffa0490c4e>]  [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
RSP: 0018:ffff88007b569e08  EFLAGS: 00010292
RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200
RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000
RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00
FS:  00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Stack:
 ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded
 ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e
 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e
Call Trace:
 [<ffffffffa049fded>] sctp_destroy_sock+0x3d/0x80 [sctp]
 [<ffffffff8145b60e>] sk_common_release+0x1e/0xf0
 [<ffffffff814df36e>] inet_create+0x2ae/0x350
 [<ffffffff81455a6f>] __sock_create+0x11f/0x240
 [<ffffffff81455bf0>] sock_create+0x30/0x40
 [<ffffffff8145696c>] SyS_socket+0x4c/0xc0
 [<ffffffff815403be>] ? do_page_fault+0xe/0x10
 [<ffffffff8153cb32>] ? page_fault+0x22/0x30
 [<ffffffff81544e02>] system_call_fastpath+0x16/0x1b
Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f
      1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48>
      8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48
RIP  [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
 RSP <ffff88007b569e08>
CR2: 0000000000000020
---[ end trace e0d71ec1108c1dd9 ]---

I did not hit this with the lksctp-tools functional tests, but with a
small, multi-threaded test program, that heavily allocates, binds,
listens and waits in accept on sctp sockets, and then randomly kills
some of them (no need for an actual client in this case to hit this).
Then, again, allocating, binding, etc, and then killing child processes.

This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable''
is set. The cause for that is actually very simple: in sctp_endpoint_init()
we enter the path of sctp_auth_init_hmacs(). There, we try to allocate
our crypto transforms through crypto_alloc_hash(). In our scenario,
it then can happen that crypto_alloc_hash() fails with -EINTR from
crypto_larval_wait(), thus we bail out and release the socket via
sk_common_release(), sctp_destroy_sock() and hit the NULL pointer
dereference as soon as we try to access members in the endpoint during
sctp_endpoint_free(), since endpoint at that time is still NULL. Now,
if we have that case, we do not need to do any cleanup work and just
leave the destruction handler.

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-06-11 02:49:05 -07:00
..
9p Lots of virtio work which wasn't quite ready for last merge window. Plus 2013-05-02 14:14:04 -07:00
802 net/802/mrp: fix lockdep splat 2013-05-14 13:02:30 -07:00
8021q net: vlan,ethtool: netdev_features_t is more than 32 bit 2013-05-02 13:58:12 -04:00
appletalk appletalk: info leak in ->getname() 2013-04-25 01:47:58 -04:00
atm Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
ax25 ax25: fix info leak via msg_name in ax25_recvmsg() 2013-04-07 16:28:00 -04:00
batman-adv batman-adv: Avoid double freeing of bat_counters 2013-05-21 21:34:36 +02:00
bluetooth Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
bridge netfilter: log: netns NULL ptr bug when calling from conntrack 2013-05-15 14:11:07 +02:00
caif caif: Remove bouncing address for Daniel Martensson 2013-04-23 13:25:51 -04:00
can Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
ceph libceph: init sent and completed when starting 2013-05-13 12:52:23 -05:00
core sock_diag: fix filter code sent to userspace 2013-06-10 22:23:32 -07:00
dcb
dccp
decnet decnet: remove duplicated include from dn_table.c 2013-04-07 17:12:01 -04:00
dns_resolver
dsa
ethernet
ieee802154 ieee802154/nl-mac.c: make some MLME operations optional 2013-04-08 12:00:16 -04:00
ipv4 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2013-05-30 16:38:38 -07:00
ipv6 ipv6: assign rt6_info to inet6_ifaddr in init_loopback 2013-06-04 16:57:41 -07:00
ipx
irda net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue. 2013-05-19 15:10:47 -07:00
iucv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-04-22 20:32:51 -04:00
key xfrm: force a garbage collection after deleting a policy 2013-05-31 17:30:07 -07:00
l2tp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-04-07 18:37:01 -04:00
lapb
llc llc: Fix missing msg_namelen update in llc_ui_recvmsg() 2013-04-07 16:28:01 -04:00
mac80211 mac80211: Allow single vif mac address change with addr_mask 2013-05-27 11:26:48 +02:00
mac802154 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-04-30 03:55:20 -04:00
netfilter ipvs: info leak in __ip_vs_get_dest_entries() 2013-06-10 14:53:00 +02:00
netlabel netlabel: improve domain mapping validation 2013-05-19 14:49:55 -07:00
netlink net: fix sk_buff head without data area 2013-06-04 17:26:49 -07:00
netrom netrom: info leak in ->getname() 2013-04-25 01:47:58 -04:00
nfc NFC: Remove commented out LLCP related Makefile line 2013-05-21 10:47:41 +02:00
openvswitch openvswitch: Remove unneeded ovs_netdev_get_ifindex() 2013-04-30 00:19:11 -04:00
packet packet: tpacket_v3: do not trigger bug() on wrong header status 2013-05-03 16:10:33 -04:00
phonet
rds
rfkill Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next 2013-04-22 14:58:14 -04:00
rose rose: fix info leak via msg_name in rose_recvmsg() 2013-04-07 16:28:02 -04:00
rxrpc
sched net_sched: qdisc_get_rtab() must check data[] array 2013-06-07 15:24:04 -07:00
sctp net: sctp: fix NULL pointer dereference in socket destruction 2013-06-11 02:49:05 -07:00
sunrpc Merge branch 'for-3.10' of git://linux-nfs.org/~bfields/linux 2013-05-31 09:48:56 +09:00
tipc tipc: potential divide by zero in tipc_link_recv_fragment() 2013-05-06 16:16:52 -04:00
unix af_unix: fix a fatal race with bit fields 2013-05-01 15:13:49 -04:00
vmw_vsock Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-04-30 03:55:20 -04:00
wimax
wireless cfg80211: fix reporting 64-bit station info tx bytes 2013-05-23 22:08:18 +02:00
x25 x25: use proc_remove_subtree() 2013-04-09 14:13:35 -04:00
xfrm xfrm: force a garbage collection after deleting a policy 2013-05-31 17:30:07 -07:00
compat.c net: Unbreak compat_sys_{send,recv}msg 2013-06-06 11:52:14 -07:00
Kconfig netlink: kconfig: move mmap i/o into netlink kconfig 2013-05-01 15:02:42 -04:00
Makefile
nonet.c
socket.c net: Unbreak compat_sys_{send,recv}msg 2013-06-06 11:52:14 -07:00
sysctl_net.c