[linux] 02/02: sctp: do not peel off an assoc from one netns to another one (CVE-2017-15115)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Nov 16 14:23:58 UTC 2017 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit 6ff07bd9a5004feb2ec861696efd1a1be8c0120e
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu Nov 16 15:21:47 2017 +0100

    sctp: do not peel off an assoc from one netns to another one (CVE-2017-15115)
---
 debian/changelog                                   |  2 +
 ...-peel-off-an-assoc-from-one-netns-to-anot.patch | 63 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 66 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index e28565f..fdd9198 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -86,6 +86,8 @@ linux (4.13.12-1) UNRELEASED; urgency=medium
   [ Salvatore Bonaccorso ]
   * netfilter: nft_set_hash: disable fast_ops for 2-len keys (Closes: #880145)
   * mac80211: accept key reinstall without changing anything (CVE-2017-13080)
+  * sctp: do not peel off an assoc from one netns to another one
+    (CVE-2017-15115)
 
   [ Ben Hutchings ]
   * linux-image: Recommend apparmor, as systemd units with an AppArmor
diff --git a/debian/patches/bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch b/debian/patches/bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch
new file mode 100644
index 0000000..ae30b5a
--- /dev/null
+++ b/debian/patches/bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch
@@ -0,0 +1,63 @@
+From: Xin Long <lucien.xin at gmail.com>
+Date: Tue, 17 Oct 2017 23:26:10 +0800
+Subject: sctp: do not peel off an assoc from one netns to another one
+Origin: https://git.kernel.org/linus/df80cd9b28b9ebaa284a41df611dbf3a2d05ca74
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15115
+
+Now when peeling off an association to the sock in another netns, all
+transports in this assoc are not to be rehashed and keep use the old
+key in hashtable.
+
+As a transport uses sk->net as the hash key to insert into hashtable,
+it would miss removing these transports from hashtable due to the new
+netns when closing the sock and all transports are being freeed, then
+later an use-after-free issue could be caused when looking up an asoc
+and dereferencing those transports.
+
+This is a very old issue since very beginning, ChunYu found it with
+syzkaller fuzz testing with this series:
+
+  socket$inet6_sctp()
+  bind$inet6()
+  sendto$inet6()
+  unshare(0x40000000)
+  getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST()
+  getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF()
+
+This patch is to block this call when peeling one assoc off from one
+netns to another one, so that the netns of all transport would not
+go out-sync with the key in hashtable.
+
+Note that this patch didn't fix it by rehashing transports, as it's
+difficult to handle the situation when the tuple is already in use
+in the new netns. Besides, no one would like to peel off one assoc
+to another netns, considering ipaddrs, ifaces, etc. are usually
+different.
+
+Reported-by: ChunYu Wang <chunwang at redhat.com>
+Signed-off-by: Xin Long <lucien.xin at gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Acked-by: Neil Horman <nhorman at tuxdriver.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/sctp/socket.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index d4730ada7f32..17841ab30798 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -4906,6 +4906,10 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
+ 	struct socket *sock;
+ 	int err = 0;
+ 
++	/* Do not peel off from one netns to another one. */
++	if (!net_eq(current->nsproxy->net_ns, sock_net(sk)))
++		return -EINVAL;
++
+ 	if (!asoc)
+ 		return -EINVAL;
+ 
+-- 
+2.15.0
+
diff --git a/debian/patches/series b/debian/patches/series
index a10d1fb..947383c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -115,6 +115,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/all/mac80211-accept-key-reinstall-without-changing-anyth.patch
+bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch
 
 # Fix exported symbol versions
 bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list