Commit a43e8e87 authored by Marcelo Ricardo Leitner's avatar Marcelo Ricardo Leitner Committed by Kamal Mostafa

sctp: fix ASCONF list handling

[ Upstream commit 2d45a02d ]

->auto_asconf_splist is per namespace and mangled by functions like
sctp_setsockopt_auto_asconf() which doesn't guarantee any serialization.

Also, the call to inet_sk_copy_descendant() was backuping
->auto_asconf_list through the copy but was not honoring
->do_auto_asconf, which could lead to list corruption if it was
different between both sockets.

This commit thus fixes the list handling by using ->addr_wq_lock
spinlock to protect the list. A special handling is done upon socket
creation and destruction for that. Error handlig on sctp_init_sock()
will never return an error after having initialized asconf, so
sctp_destroy_sock() can be called without addrq_wq_lock. The lock now
will be take on sctp_close_sock(), before locking the socket, so we
don't do it in inverse order compared to sctp_addr_wq_timeout_handler().

Instead of taking the lock on sctp_sock_migrate() for copying and
restoring the list values, it's preferred to avoid rewritting it by
implementing sctp_copy_descendant().

Issue was found with a test application that kept flipping sysctl
default_auto_asconf on and off, but one could trigger it by issuing
simultaneous setsockopt() calls on multiple sockets or by
creating/destroying sockets fast enough. This is only triggerable
locally.

Fixes: 9f7d653b ("sctp: Add Auto-ASCONF support (core).")
Reported-by: default avatarJi Jianwen <jiji@redhat.com>
Suggested-by: default avatarNeil Horman <nhorman@tuxdriver.com>
Suggested-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Cc: Moritz Mühlenhoff <jmm@inutil.org>
Reference: CVE-2015-3212
Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
parent ab17bd6e
...@@ -31,6 +31,7 @@ struct netns_sctp { ...@@ -31,6 +31,7 @@ struct netns_sctp {
struct list_head addr_waitq; struct list_head addr_waitq;
struct timer_list addr_wq_timer; struct timer_list addr_wq_timer;
struct list_head auto_asconf_splist; struct list_head auto_asconf_splist;
/* Lock that protects both addr_waitq and auto_asconf_splist */
spinlock_t addr_wq_lock; spinlock_t addr_wq_lock;
/* Lock that protects the local_addr_list writers */ /* Lock that protects the local_addr_list writers */
......
...@@ -223,6 +223,10 @@ struct sctp_sock { ...@@ -223,6 +223,10 @@ struct sctp_sock {
atomic_t pd_mode; atomic_t pd_mode;
/* Receive to here while partial delivery is in effect. */ /* Receive to here while partial delivery is in effect. */
struct sk_buff_head pd_lobby; struct sk_buff_head pd_lobby;
/* These must be the last fields, as they will skipped on copies,
* like on accept and peeloff operations
*/
struct list_head auto_asconf_list; struct list_head auto_asconf_list;
int do_auto_asconf; int do_auto_asconf;
}; };
......
...@@ -1533,8 +1533,10 @@ static void sctp_close(struct sock *sk, long timeout) ...@@ -1533,8 +1533,10 @@ static void sctp_close(struct sock *sk, long timeout)
/* Supposedly, no process has access to the socket, but /* Supposedly, no process has access to the socket, but
* the net layers still may. * the net layers still may.
* Also, sctp_destroy_sock() needs to be called with addr_wq_lock
* held and that should be grabbed before socket lock.
*/ */
local_bh_disable(); spin_lock_bh(&net->sctp.addr_wq_lock);
bh_lock_sock(sk); bh_lock_sock(sk);
/* Hold the sock, since sk_common_release() will put sock_put() /* Hold the sock, since sk_common_release() will put sock_put()
...@@ -1544,7 +1546,7 @@ static void sctp_close(struct sock *sk, long timeout) ...@@ -1544,7 +1546,7 @@ static void sctp_close(struct sock *sk, long timeout)
sk_common_release(sk); sk_common_release(sk);
bh_unlock_sock(sk); bh_unlock_sock(sk);
local_bh_enable(); spin_unlock_bh(&net->sctp.addr_wq_lock);
sock_put(sk); sock_put(sk);
...@@ -3587,6 +3589,7 @@ static int sctp_setsockopt_auto_asconf(struct sock *sk, char __user *optval, ...@@ -3587,6 +3589,7 @@ static int sctp_setsockopt_auto_asconf(struct sock *sk, char __user *optval,
if ((val && sp->do_auto_asconf) || (!val && !sp->do_auto_asconf)) if ((val && sp->do_auto_asconf) || (!val && !sp->do_auto_asconf))
return 0; return 0;
spin_lock_bh(&sock_net(sk)->sctp.addr_wq_lock);
if (val == 0 && sp->do_auto_asconf) { if (val == 0 && sp->do_auto_asconf) {
list_del(&sp->auto_asconf_list); list_del(&sp->auto_asconf_list);
sp->do_auto_asconf = 0; sp->do_auto_asconf = 0;
...@@ -3595,6 +3598,7 @@ static int sctp_setsockopt_auto_asconf(struct sock *sk, char __user *optval, ...@@ -3595,6 +3598,7 @@ static int sctp_setsockopt_auto_asconf(struct sock *sk, char __user *optval,
&sock_net(sk)->sctp.auto_asconf_splist); &sock_net(sk)->sctp.auto_asconf_splist);
sp->do_auto_asconf = 1; sp->do_auto_asconf = 1;
} }
spin_unlock_bh(&sock_net(sk)->sctp.addr_wq_lock);
return 0; return 0;
} }
...@@ -4128,18 +4132,28 @@ static int sctp_init_sock(struct sock *sk) ...@@ -4128,18 +4132,28 @@ static int sctp_init_sock(struct sock *sk)
local_bh_disable(); local_bh_disable();
percpu_counter_inc(&sctp_sockets_allocated); percpu_counter_inc(&sctp_sockets_allocated);
sock_prot_inuse_add(net, sk->sk_prot, 1); sock_prot_inuse_add(net, sk->sk_prot, 1);
/* Nothing can fail after this block, otherwise
* sctp_destroy_sock() will be called without addr_wq_lock held
*/
if (net->sctp.default_auto_asconf) { if (net->sctp.default_auto_asconf) {
spin_lock(&sock_net(sk)->sctp.addr_wq_lock);
list_add_tail(&sp->auto_asconf_list, list_add_tail(&sp->auto_asconf_list,
&net->sctp.auto_asconf_splist); &net->sctp.auto_asconf_splist);
sp->do_auto_asconf = 1; sp->do_auto_asconf = 1;
} else spin_unlock(&sock_net(sk)->sctp.addr_wq_lock);
} else {
sp->do_auto_asconf = 0; sp->do_auto_asconf = 0;
}
local_bh_enable(); local_bh_enable();
return 0; return 0;
} }
/* Cleanup any SCTP per socket resources. */ /* Cleanup any SCTP per socket resources. Must be called with
* sock_net(sk)->sctp.addr_wq_lock held if sp->do_auto_asconf is true
*/
static void sctp_destroy_sock(struct sock *sk) static void sctp_destroy_sock(struct sock *sk)
{ {
struct sctp_sock *sp; struct sctp_sock *sp;
...@@ -7202,6 +7216,19 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk, ...@@ -7202,6 +7216,19 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk,
newinet->mc_list = NULL; newinet->mc_list = NULL;
} }
static inline void sctp_copy_descendant(struct sock *sk_to,
const struct sock *sk_from)
{
int ancestor_size = sizeof(struct inet_sock) +
sizeof(struct sctp_sock) -
offsetof(struct sctp_sock, auto_asconf_list);
if (sk_from->sk_family == PF_INET6)
ancestor_size += sizeof(struct ipv6_pinfo);
__inet_sk_copy_descendant(sk_to, sk_from, ancestor_size);
}
/* Populate the fields of the newsk from the oldsk and migrate the assoc /* Populate the fields of the newsk from the oldsk and migrate the assoc
* and its messages to the newsk. * and its messages to the newsk.
*/ */
...@@ -7216,7 +7243,6 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk, ...@@ -7216,7 +7243,6 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
struct sk_buff *skb, *tmp; struct sk_buff *skb, *tmp;
struct sctp_ulpevent *event; struct sctp_ulpevent *event;
struct sctp_bind_hashbucket *head; struct sctp_bind_hashbucket *head;
struct list_head tmplist;
/* Migrate socket buffer sizes and all the socket level options to the /* Migrate socket buffer sizes and all the socket level options to the
* new socket. * new socket.
...@@ -7224,12 +7250,7 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk, ...@@ -7224,12 +7250,7 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
newsk->sk_sndbuf = oldsk->sk_sndbuf; newsk->sk_sndbuf = oldsk->sk_sndbuf;
newsk->sk_rcvbuf = oldsk->sk_rcvbuf; newsk->sk_rcvbuf = oldsk->sk_rcvbuf;
/* Brute force copy old sctp opt. */ /* Brute force copy old sctp opt. */
if (oldsp->do_auto_asconf) { sctp_copy_descendant(newsk, oldsk);
memcpy(&tmplist, &newsp->auto_asconf_list, sizeof(tmplist));
inet_sk_copy_descendant(newsk, oldsk);
memcpy(&newsp->auto_asconf_list, &tmplist, sizeof(tmplist));
} else
inet_sk_copy_descendant(newsk, oldsk);
/* Restore the ep value that was overwritten with the above structure /* Restore the ep value that was overwritten with the above structure
* copy. * copy.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment