diff --git a/debian/changelog b/debian/changelog index e28565fe5..fdd919821 100644 --- a/debian/changelog +++ b/debian/changelog @@ -86,6 +86,8 @@ linux (4.13.12-1) UNRELEASED; urgency=medium [ Salvatore Bonaccorso ] * netfilter: nft_set_hash: disable fast_ops for 2-len keys (Closes: #880145) * mac80211: accept key reinstall without changing anything (CVE-2017-13080) + * sctp: do not peel off an assoc from one netns to another one + (CVE-2017-15115) [ Ben Hutchings ] * linux-image: Recommend apparmor, as systemd units with an AppArmor diff --git a/debian/patches/bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch b/debian/patches/bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch new file mode 100644 index 000000000..ae30b5a0e --- /dev/null +++ b/debian/patches/bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch @@ -0,0 +1,63 @@ +From: Xin Long +Date: Tue, 17 Oct 2017 23:26:10 +0800 +Subject: sctp: do not peel off an assoc from one netns to another one +Origin: https://git.kernel.org/linus/df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15115 + +Now when peeling off an association to the sock in another netns, all +transports in this assoc are not to be rehashed and keep use the old +key in hashtable. + +As a transport uses sk->net as the hash key to insert into hashtable, +it would miss removing these transports from hashtable due to the new +netns when closing the sock and all transports are being freeed, then +later an use-after-free issue could be caused when looking up an asoc +and dereferencing those transports. + +This is a very old issue since very beginning, ChunYu found it with +syzkaller fuzz testing with this series: + + socket$inet6_sctp() + bind$inet6() + sendto$inet6() + unshare(0x40000000) + getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST() + getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF() + +This patch is to block this call when peeling one assoc off from one +netns to another one, so that the netns of all transport would not +go out-sync with the key in hashtable. + +Note that this patch didn't fix it by rehashing transports, as it's +difficult to handle the situation when the tuple is already in use +in the new netns. Besides, no one would like to peel off one assoc +to another netns, considering ipaddrs, ifaces, etc. are usually +different. + +Reported-by: ChunYu Wang +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Acked-by: Neil Horman +Signed-off-by: David S. Miller +--- + net/sctp/socket.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index d4730ada7f32..17841ab30798 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -4906,6 +4906,10 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp) + struct socket *sock; + int err = 0; + ++ /* Do not peel off from one netns to another one. */ ++ if (!net_eq(current->nsproxy->net_ns, sock_net(sk))) ++ return -EINVAL; ++ + if (!asoc) + return -EINVAL; + +-- +2.15.0 + diff --git a/debian/patches/series b/debian/patches/series index a10d1fb0d..947383c38 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -115,6 +115,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/mac80211-accept-key-reinstall-without-changing-anyth.patch +bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch # Fix exported symbol versions bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch