CMNT: [Xenial SRU PATCH] sctp: deny peeloff operation on asocs with threads sleeping on it

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Thu Mar 30 12:02:00 UTC 2017


On Wed, Mar 29, 2017 at 03:50:03PM -0700, Brad Figg wrote:
> 
> I don't see a buglink nor do I find a launchpad bug for this CVE. Both are
> required for an SRU.
> 

I assumed that as the patch has the CVE line, a bug was not required.

BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1677579

Cascardo.

> On Tue, Mar 21, 2017 at 04:54:15PM -0300, Thadeu Lima de Souza Cascardo wrote:
> > From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
> > 
> > commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
> > attempted to avoid a BUG_ON call when the association being used for a
> > sendmsg() is blocked waiting for more sndbuf and another thread did a
> > peeloff operation on such asoc, moving it to another socket.
> > 
> > As Ben Hutchings noticed, then in such case it would return without
> > locking back the socket and would cause two unlocks in a row.
> > 
> > Further analysis also revealed that it could allow a double free if the
> > application managed to peeloff the asoc that is created during the
> > sendmsg call, because then sctp_sendmsg() would try to free the asoc
> > that was created only for that call.
> > 
> > This patch takes another approach. It will deny the peeloff operation
> > if there is a thread sleeping on the asoc, so this situation doesn't
> > exist anymore. This avoids the issues described above and also honors
> > the syscalls that are already being handled (it can be multiple sendmsg
> > calls).
> > 
> > Joint work with Xin Long.
> > 
> > Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
> > Cc: Alexander Popov <alex.popov at linux.com>
> > Cc: Ben Hutchings <ben at decadent.org.uk>
> > Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
> > Signed-off-by: Xin Long <lucien.xin at gmail.com>
> > Signed-off-by: David S. Miller <davem at davemloft.net>
> > (cherry picked from commit dfcb9f4f99f1e9a49e43398a7bfbf56927544af1)
> > CVE-2017-6353
> > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
> > ---
> >  net/sctp/socket.c | 8 ++++++--
> >  1 file changed, 6 insertions(+), 2 deletions(-)
> > 
> > diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> > index 138f2d6..5758818 100644
> > --- a/net/sctp/socket.c
> > +++ b/net/sctp/socket.c
> > @@ -4422,6 +4422,12 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
> >  	if (!asoc)
> >  		return -EINVAL;
> >  
> > +	/* If there is a thread waiting on more sndbuf space for
> > +	 * sending on this asoc, it cannot be peeled.
> > +	 */
> > +	if (waitqueue_active(&asoc->wait))
> > +		return -EBUSY;
> > +
> >  	/* An association cannot be branched off from an already peeled-off
> >  	 * socket, nor is this supported for tcp style sockets.
> >  	 */
> > @@ -6960,8 +6966,6 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
> >  		 */
> >  		release_sock(sk);
> >  		current_timeo = schedule_timeout(current_timeo);
> > -		if (sk != asoc->base.sk)
> > -			goto do_error;
> >  		lock_sock(sk);
> >  
> >  		*timeo_p = current_timeo;
> > -- 
> > 2.9.3
> > 
> > 
> > -- 
> > kernel-team mailing list
> > kernel-team at lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/kernel-team
> 
> -- 
> Brad Figg brad.figg at canonical.com http://www.canonical.com




More information about the kernel-team mailing list