From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 24 Sep 2021 08:54:33 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v4.4.285~44
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d1023836f57341a63a3ddf2fdfa78ca67d91aa65;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	sctp-add-param-size-validation-for-sctp_param_set_primary.patch
	sctp-validate-chunk-size-in-__rcv_asconf_lookup.patch
---

diff --git a/queue-4.14/sctp-add-param-size-validation-for-sctp_param_set_primary.patch b/queue-4.14/sctp-add-param-size-validation-for-sctp_param_set_primary.patch
new file mode 100644
index 00000000000..b5ef0fe6da2
--- /dev/null
+++ b/queue-4.14/sctp-add-param-size-validation-for-sctp_param_set_primary.patch
@@ -0,0 +1,50 @@
+From ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9 Mon Sep 17 00:00:00 2001
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Mon, 28 Jun 2021 16:13:44 -0300
+Subject: sctp: add param size validation for SCTP_PARAM_SET_PRIMARY
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+commit ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9 upstream.
+
+When SCTP handles an INIT chunk, it calls for example:
+sctp_sf_do_5_1B_init
+  sctp_verify_init
+    sctp_verify_param
+  sctp_process_init
+    sctp_process_param
+      handling of SCTP_PARAM_SET_PRIMARY
+
+sctp_verify_init() wasn't doing proper size validation and neither the
+later handling, allowing it to work over the chunk itself, possibly being
+uninitialized memory.
+
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_make_chunk.c |   13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -2161,9 +2161,16 @@ static enum sctp_ierror sctp_verify_para
+ 		break;
+ 
+ 	case SCTP_PARAM_SET_PRIMARY:
+-		if (net->sctp.addip_enable)
+-			break;
+-		goto fallthrough;
++		if (!net->sctp.addip_enable)
++			goto fallthrough;
++
++		if (ntohs(param.p->length) < sizeof(struct sctp_addip_param) +
++					     sizeof(struct sctp_paramhdr)) {
++			sctp_process_inv_paramlength(asoc, param.p,
++						     chunk, err_chunk);
++			retval = SCTP_IERROR_ABORT;
++		}
++		break;
+ 
+ 	case SCTP_PARAM_HOST_NAME_ADDRESS:
+ 		/* Tell the peer, we won't support this param.  */
diff --git a/queue-4.14/sctp-validate-chunk-size-in-__rcv_asconf_lookup.patch b/queue-4.14/sctp-validate-chunk-size-in-__rcv_asconf_lookup.patch
new file mode 100644
index 00000000000..329a5a9ebe2
--- /dev/null
+++ b/queue-4.14/sctp-validate-chunk-size-in-__rcv_asconf_lookup.patch
@@ -0,0 +1,37 @@
+From b6ffe7671b24689c09faa5675dd58f93758a97ae Mon Sep 17 00:00:00 2001
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Mon, 28 Jun 2021 16:13:43 -0300
+Subject: sctp: validate chunk size in __rcv_asconf_lookup
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+commit b6ffe7671b24689c09faa5675dd58f93758a97ae upstream.
+
+In one of the fallbacks that SCTP has for identifying an association for an
+incoming packet, it looks for AddIp chunk (from ASCONF) and take a peek.
+Thing is, at this stage nothing was validating that the chunk actually had
+enough content for that, allowing the peek to happen over uninitialized
+memory.
+
+Similar check already exists in actual asconf handling in
+sctp_verify_asconf().
+
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/input.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -1118,6 +1118,9 @@ static struct sctp_association *__sctp_r
+ 	union sctp_addr_param *param;
+ 	union sctp_addr paddr;
+ 
++	if (ntohs(ch->length) < sizeof(*asconf) + sizeof(struct sctp_paramhdr))
++		return NULL;
++
+ 	/* Skip over the ADDIP header and find the Address parameter */
+ 	param = (union sctp_addr_param *)(asconf + 1);
+ 
diff --git a/queue-4.14/series b/queue-4.14/series
index bf8d697f57b..9ccb9d6b288 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -6,3 +6,5 @@ arm-9077-1-plt-move-struct-plt_entries-definition-to-header.patch
 arm-9078-1-add-warn-suppress-parameter-to-arm_gen_branch_link.patch
 arm-9079-1-ftrace-add-module_plts-support.patch
 arm-9098-1-ftrace-module_plt-fix-build-problem-without-dynamic_ftrace.patch
+sctp-validate-chunk-size-in-__rcv_asconf_lookup.patch
+sctp-add-param-size-validation-for-sctp_param_set_primary.patch