releases/4.14.34/sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch

   1 From foo@baz Tue Apr 10 23:20:08 CEST 2018
   2 From: Eric Dumazet <edumazet@google.com>
   3 Date: Sun, 8 Apr 2018 07:52:08 -0700
   4 Subject: sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6
   5
   6 From: Eric Dumazet <edumazet@google.com>
   7
   8
   9 [ Upstream commit 81e98370293afcb58340ce8bd71af7b97f925c26 ]
  10
  11 Check must happen before call to ipv6_addr_v4mapped()
  12
  13 syzbot report was :
  14
  15 BUG: KMSAN: uninit-value in sctp_sockaddr_af net/sctp/socket.c:359 [inline]
  16 BUG: KMSAN: uninit-value in sctp_do_bind+0x60f/0xdc0 net/sctp/socket.c:384
  17 CPU: 0 PID: 3576 Comm: syzkaller968804 Not tainted 4.16.0+ #82
  18 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
  19 Call Trace:
  20  __dump_stack lib/dump_stack.c:17 [inline]
  21  dump_stack+0x185/0x1d0 lib/dump_stack.c:53
  22  kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
  23  __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
  24  sctp_sockaddr_af net/sctp/socket.c:359 [inline]
  25  sctp_do_bind+0x60f/0xdc0 net/sctp/socket.c:384
  26  sctp_bind+0x149/0x190 net/sctp/socket.c:332
  27  inet6_bind+0x1fd/0x1820 net/ipv6/af_inet6.c:293
  28  SYSC_bind+0x3f2/0x4b0 net/socket.c:1474
  29  SyS_bind+0x54/0x80 net/socket.c:1460
  30  do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
  31  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
  32 RIP: 0033:0x43fd49
  33 RSP: 002b:00007ffe99df3d28 EFLAGS: 00000213 ORIG_RAX: 0000000000000031
  34 RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd49
  35 RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003
  36 RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
  37 R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401670
  38 R13: 0000000000401700 R14: 0000000000000000 R15: 0000000000000000
  39
  40 Local variable description: ----address@SYSC_bind
  41 Variable was created at:
  42  SYSC_bind+0x6f/0x4b0 net/socket.c:1461
  43  SyS_bind+0x54/0x80 net/socket.c:1460
  44
  45 Signed-off-by: Eric Dumazet <edumazet@google.com>
  46 Cc: Vlad Yasevich <vyasevich@gmail.com>
  47 Cc: Neil Horman <nhorman@tuxdriver.com>
  48 Reported-by: syzbot <syzkaller@googlegroups.com>
  49 Signed-off-by: David S. Miller <davem@davemloft.net>
  50 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  51 ---
  52  net/sctp/socket.c |   13 ++++++++-----
  53  1 file changed, 8 insertions(+), 5 deletions(-)
  54
  55 --- a/net/sctp/socket.c
  56 +++ b/net/sctp/socket.c
  57 @@ -337,11 +337,14 @@ static struct sctp_af *sctp_sockaddr_af(
  58         if (!opt->pf->af_supported(addr->sa.sa_family, opt))
  59                 return NULL;
  60
  61 -       /* V4 mapped address are really of AF_INET family */
  62 -       if (addr->sa.sa_family == AF_INET6 &&
  63 -           ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
  64 -           !opt->pf->af_supported(AF_INET, opt))
  65 -               return NULL;
  66 +       if (addr->sa.sa_family == AF_INET6) {
  67 +               if (len < SIN6_LEN_RFC2133)
  68 +                       return NULL;
  69 +               /* V4 mapped address are really of AF_INET family */
  70 +               if (ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
  71 +                   !opt->pf->af_supported(AF_INET, opt))
  72 +                       return NULL;
  73 +       }
  74
  75         /* If we get this far, af is valid. */
  76         af = sctp_get_af_specific(addr->sa.sa_family);