ACK: [Precise][CVE-2015-3212] sctp: fix ASCONF list handling

Seth Forshee seth.forshee at canonical.com
Wed Jul 15 12:34:49 UTC 2015 

On Tue, Jul 14, 2015 at 02:06:29PM -0700, Kamal Mostafa wrote:
> From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
> 
> [ Upstream commit 2d45a02d0166caf2627fe91897c6ffc3b19514c4 ]
> 
> ->auto_asconf_splist is per namespace and mangled by functions like
> sctp_setsockopt_auto_asconf() which doesn't guarantee any serialization.
> 
> Also, the call to inet_sk_copy_descendant() was backuping
> ->auto_asconf_list through the copy but was not honoring
> ->do_auto_asconf, which could lead to list corruption if it was
> different between both sockets.
> 
> This commit thus fixes the list handling by using ->addr_wq_lock
> spinlock to protect the list. A special handling is done upon socket
> creation and destruction for that. Error handlig on sctp_init_sock()
> will never return an error after having initialized asconf, so
> sctp_destroy_sock() can be called without addrq_wq_lock. The lock now
> will be take on sctp_close_sock(), before locking the socket, so we
> don't do it in inverse order compared to sctp_addr_wq_timeout_handler().
> 
> Instead of taking the lock on sctp_sock_migrate() for copying and
> restoring the list values, it's preferred to avoid rewritting it by
> implementing sctp_copy_descendant().
> 
> Issue was found with a test application that kept flipping sysctl
> default_auto_asconf on and off, but one could trigger it by issuing
> simultaneous setsockopt() calls on multiple sockets or by
> creating/destroying sockets fast enough. This is only triggerable
> locally.
> 
> Fixes: 9f7d653b67ae ("sctp: Add Auto-ASCONF support (core).")
> Reported-by: Ji Jianwen <jiji at redhat.com>
> Suggested-by: Neil Horman <nhorman at tuxdriver.com>
> Suggested-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
> Acked-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> Reference: CVE-2015-3212
> [ kamal: backport to 3.2 (Ubuntu Precise): use global sctp_addr_wq_lock;
>     context around sctp_ macros ]
> Signed-off-by: Kamal Mostafa <kamal at canonical.com>

The backport looks correct to me.

Acked-by: Seth Forshee <seth.forshee at canonical.com>

More information about the kernel-team mailing list