tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

sctp: bring inet(6)_skb_parm back to sctp_input_cb

inet(6)_skb_parm was removed from sctp_input_cb by Commit a1dd2cf2f1ae
("sctp: allow changing transport encap_port by peer packets"), as it
thought sctp_input_cb->header is not used any more in SCTP.

syzbot reported a crash:

[ ] BUG: KASAN: use-after-free in decode_session6+0xe7c/0x1580
[ ]
[ ] Call Trace:
[ ] <IRQ>
[ ] dump_stack+0x107/0x163
[ ] kasan_report.cold+0x1f/0x37
[ ] decode_session6+0xe7c/0x1580
[ ] __xfrm_policy_check+0x2fa/0x2850
[ ] sctp_rcv+0x12b0/0x2e30
[ ] sctp6_rcv+0x22/0x40
[ ] ip6_protocol_deliver_rcu+0x2e8/0x1680
[ ] ip6_input_finish+0x7f/0x160
[ ] ip6_input+0x9c/0xd0
[ ] ipv6_rcv+0x28e/0x3c0

It was caused by sctp_input_cb->header/IP6CB(skb) still used in sctp rx
path decode_session6() but some members overwritten by sctp6_rcv().

This patch is to fix it by bring inet(6)_skb_parm back to sctp_input_cb
and not overwriting it in sctp4/6_rcv() and sctp_udp_rcv().

Reported-by: syzbot+5be8aebb1b7dfa90ef31@syzkaller.appspotmail.com
Fixes: a1dd2cf2f1ae ("sctp: allow changing transport encap_port by peer packets")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Link: https://lore.kernel.org/r/136c1a7a419341487c504be6d1996928d9d16e02.1604472932.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Xin Long and committed by
Jakub Kicinski 0356010d 67438feb

+8 -3
+6
include/net/sctp/structs.h
··· 1121 1121 * sctp_input_cb is currently used on rx and sock rx queue 1122 1122 */ 1123 1123 struct sctp_input_cb { 1124 + union { 1125 + struct inet_skb_parm h4; 1126 + #if IS_ENABLED(CONFIG_IPV6) 1127 + struct inet6_skb_parm h6; 1128 + #endif 1129 + } header; 1124 1130 struct sctp_chunk *chunk; 1125 1131 struct sctp_af *af; 1126 1132 __be16 encap_port;
+1 -1
net/sctp/ipv6.c
··· 1074 1074 1075 1075 static int sctp6_rcv(struct sk_buff *skb) 1076 1076 { 1077 - memset(skb->cb, 0, sizeof(skb->cb)); 1077 + SCTP_INPUT_CB(skb)->encap_port = 0; 1078 1078 return sctp_rcv(skb) ? -1 : 0; 1079 1079 } 1080 1080
+1 -2
net/sctp/protocol.c
··· 843 843 844 844 static int sctp_udp_rcv(struct sock *sk, struct sk_buff *skb) 845 845 { 846 - memset(skb->cb, 0, sizeof(skb->cb)); 847 846 SCTP_INPUT_CB(skb)->encap_port = udp_hdr(skb)->source; 848 847 849 848 skb_set_transport_header(skb, sizeof(struct udphdr)); ··· 1162 1163 1163 1164 static int sctp4_rcv(struct sk_buff *skb) 1164 1165 { 1165 - memset(skb->cb, 0, sizeof(skb->cb)); 1166 + SCTP_INPUT_CB(skb)->encap_port = 0; 1166 1167 return sctp_rcv(skb); 1167 1168 } 1168 1169