]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
4.4-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 24 Sep 2021 08:51:08 +0000 (10:51 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 24 Sep 2021 08:51:08 +0000 (10:51 +0200)
added patches:
sctp-add-param-size-validation-for-sctp_param_set_primary.patch
sctp-validate-chunk-size-in-__rcv_asconf_lookup.patch

queue-4.4/sctp-add-param-size-validation-for-sctp_param_set_primary.patch [new file with mode: 0644]
queue-4.4/sctp-validate-chunk-size-in-__rcv_asconf_lookup.patch [new file with mode: 0644]
queue-4.4/series

diff --git a/queue-4.4/sctp-add-param-size-validation-for-sctp_param_set_primary.patch b/queue-4.4/sctp-add-param-size-validation-for-sctp_param_set_primary.patch
new file mode 100644 (file)
index 0000000..1470b85
--- /dev/null
@@ -0,0 +1,50 @@
+From ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9 Mon Sep 17 00:00:00 2001
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Mon, 28 Jun 2021 16:13:44 -0300
+Subject: sctp: add param size validation for SCTP_PARAM_SET_PRIMARY
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+commit ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9 upstream.
+
+When SCTP handles an INIT chunk, it calls for example:
+sctp_sf_do_5_1B_init
+  sctp_verify_init
+    sctp_verify_param
+  sctp_process_init
+    sctp_process_param
+      handling of SCTP_PARAM_SET_PRIMARY
+
+sctp_verify_init() wasn't doing proper size validation and neither the
+later handling, allowing it to work over the chunk itself, possibly being
+uninitialized memory.
+
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_make_chunk.c |   13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -2146,9 +2146,16 @@ static sctp_ierror_t sctp_verify_param(s
+               break;
+       case SCTP_PARAM_SET_PRIMARY:
+-              if (net->sctp.addip_enable)
+-                      break;
+-              goto fallthrough;
++              if (!net->sctp.addip_enable)
++                      goto fallthrough;
++
++              if (ntohs(param.p->length) < sizeof(struct sctp_addip_param) +
++                                           sizeof(struct sctp_paramhdr)) {
++                      sctp_process_inv_paramlength(asoc, param.p,
++                                                   chunk, err_chunk);
++                      retval = SCTP_IERROR_ABORT;
++              }
++              break;
+       case SCTP_PARAM_HOST_NAME_ADDRESS:
+               /* Tell the peer, we won't support this param.  */
diff --git a/queue-4.4/sctp-validate-chunk-size-in-__rcv_asconf_lookup.patch b/queue-4.4/sctp-validate-chunk-size-in-__rcv_asconf_lookup.patch
new file mode 100644 (file)
index 0000000..ab1ced0
--- /dev/null
@@ -0,0 +1,37 @@
+From b6ffe7671b24689c09faa5675dd58f93758a97ae Mon Sep 17 00:00:00 2001
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Mon, 28 Jun 2021 16:13:43 -0300
+Subject: sctp: validate chunk size in __rcv_asconf_lookup
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+commit b6ffe7671b24689c09faa5675dd58f93758a97ae upstream.
+
+In one of the fallbacks that SCTP has for identifying an association for an
+incoming packet, it looks for AddIp chunk (from ASCONF) and take a peek.
+Thing is, at this stage nothing was validating that the chunk actually had
+enough content for that, allowing the peek to happen over uninitialized
+memory.
+
+Similar check already exists in actual asconf handling in
+sctp_verify_asconf().
+
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/input.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -1008,6 +1008,9 @@ static struct sctp_association *__sctp_r
+       union sctp_addr_param *param;
+       union sctp_addr paddr;
++      if (ntohs(ch->length) < sizeof(*asconf) + sizeof(struct sctp_paramhdr))
++              return NULL;
++
+       /* Skip over the ADDIP header and find the Address parameter */
+       param = (union sctp_addr_param *)(asconf + 1);
index 60194d35f440550af83004af1c88812261381d08..ca6f2a86b6d04f4ad99b85cfff0c6d004261edb0 100644 (file)
@@ -1,2 +1,4 @@
 s390-bpf-fix-optimizing-out-zero-extensions.patch
 pm-wakeirq-fix-unbalanced-irq-enable-for-wakeirq.patch
+sctp-validate-chunk-size-in-__rcv_asconf_lookup.patch
+sctp-add-param-size-validation-for-sctp_param_set_primary.patch