sctp: do not peel off an assoc from one netns to another one (CVE-2017-15115)
This commit is contained in:
parent
5d9e74ced8
commit
6ff07bd9a5
|
@ -86,6 +86,8 @@ linux (4.13.12-1) UNRELEASED; urgency=medium
|
||||||
[ Salvatore Bonaccorso ]
|
[ Salvatore Bonaccorso ]
|
||||||
* netfilter: nft_set_hash: disable fast_ops for 2-len keys (Closes: #880145)
|
* netfilter: nft_set_hash: disable fast_ops for 2-len keys (Closes: #880145)
|
||||||
* mac80211: accept key reinstall without changing anything (CVE-2017-13080)
|
* mac80211: accept key reinstall without changing anything (CVE-2017-13080)
|
||||||
|
* sctp: do not peel off an assoc from one netns to another one
|
||||||
|
(CVE-2017-15115)
|
||||||
|
|
||||||
[ Ben Hutchings ]
|
[ Ben Hutchings ]
|
||||||
* linux-image: Recommend apparmor, as systemd units with an AppArmor
|
* linux-image: Recommend apparmor, as systemd units with an AppArmor
|
||||||
|
|
63
debian/patches/bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch
vendored
Normal file
63
debian/patches/bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch
vendored
Normal file
|
@ -0,0 +1,63 @@
|
||||||
|
From: Xin Long <lucien.xin@gmail.com>
|
||||||
|
Date: Tue, 17 Oct 2017 23:26:10 +0800
|
||||||
|
Subject: sctp: do not peel off an assoc from one netns to another one
|
||||||
|
Origin: https://git.kernel.org/linus/df80cd9b28b9ebaa284a41df611dbf3a2d05ca74
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15115
|
||||||
|
|
||||||
|
Now when peeling off an association to the sock in another netns, all
|
||||||
|
transports in this assoc are not to be rehashed and keep use the old
|
||||||
|
key in hashtable.
|
||||||
|
|
||||||
|
As a transport uses sk->net as the hash key to insert into hashtable,
|
||||||
|
it would miss removing these transports from hashtable due to the new
|
||||||
|
netns when closing the sock and all transports are being freeed, then
|
||||||
|
later an use-after-free issue could be caused when looking up an asoc
|
||||||
|
and dereferencing those transports.
|
||||||
|
|
||||||
|
This is a very old issue since very beginning, ChunYu found it with
|
||||||
|
syzkaller fuzz testing with this series:
|
||||||
|
|
||||||
|
socket$inet6_sctp()
|
||||||
|
bind$inet6()
|
||||||
|
sendto$inet6()
|
||||||
|
unshare(0x40000000)
|
||||||
|
getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST()
|
||||||
|
getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF()
|
||||||
|
|
||||||
|
This patch is to block this call when peeling one assoc off from one
|
||||||
|
netns to another one, so that the netns of all transport would not
|
||||||
|
go out-sync with the key in hashtable.
|
||||||
|
|
||||||
|
Note that this patch didn't fix it by rehashing transports, as it's
|
||||||
|
difficult to handle the situation when the tuple is already in use
|
||||||
|
in the new netns. Besides, no one would like to peel off one assoc
|
||||||
|
to another netns, considering ipaddrs, ifaces, etc. are usually
|
||||||
|
different.
|
||||||
|
|
||||||
|
Reported-by: ChunYu Wang <chunwang@redhat.com>
|
||||||
|
Signed-off-by: Xin Long <lucien.xin@gmail.com>
|
||||||
|
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
|
||||||
|
Acked-by: Neil Horman <nhorman@tuxdriver.com>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
---
|
||||||
|
net/sctp/socket.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
|
||||||
|
index d4730ada7f32..17841ab30798 100644
|
||||||
|
--- a/net/sctp/socket.c
|
||||||
|
+++ b/net/sctp/socket.c
|
||||||
|
@@ -4906,6 +4906,10 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
|
||||||
|
struct socket *sock;
|
||||||
|
int err = 0;
|
||||||
|
|
||||||
|
+ /* Do not peel off from one netns to another one. */
|
||||||
|
+ if (!net_eq(current->nsproxy->net_ns, sock_net(sk)))
|
||||||
|
+ return -EINVAL;
|
||||||
|
+
|
||||||
|
if (!asoc)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.15.0
|
||||||
|
|
|
@ -115,6 +115,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
||||||
# Security fixes
|
# Security fixes
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
bugfix/all/mac80211-accept-key-reinstall-without-changing-anyth.patch
|
bugfix/all/mac80211-accept-key-reinstall-without-changing-anyth.patch
|
||||||
|
bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch
|
||||||
|
|
||||||
# Fix exported symbol versions
|
# Fix exported symbol versions
|
||||||
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
|
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
|
||||||
|
|
Loading…
Reference in New Issue