From 4f4579ff7e7536a20cccd2553ee01671df17e416 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 18 Apr 2021 12:30:52 +0200 Subject: [PATCH] 5.11-stable patches added patches: net-sctp-fix-race-condition-in-sctp_destroy_sock.patch --- ...-race-condition-in-sctp_destroy_sock.patch | 80 +++++++++++++++++++ queue-5.11/series | 1 + 2 files changed, 81 insertions(+) create mode 100644 queue-5.11/net-sctp-fix-race-condition-in-sctp_destroy_sock.patch diff --git a/queue-5.11/net-sctp-fix-race-condition-in-sctp_destroy_sock.patch b/queue-5.11/net-sctp-fix-race-condition-in-sctp_destroy_sock.patch new file mode 100644 index 00000000000..d6ea5669e49 --- /dev/null +++ b/queue-5.11/net-sctp-fix-race-condition-in-sctp_destroy_sock.patch @@ -0,0 +1,80 @@ +From b166a20b07382b8bc1dcee2a448715c9c2c81b5b Mon Sep 17 00:00:00 2001 +From: Or Cohen +Date: Tue, 13 Apr 2021 21:10:31 +0300 +Subject: net/sctp: fix race condition in sctp_destroy_sock + +From: Or Cohen + +commit b166a20b07382b8bc1dcee2a448715c9c2c81b5b upstream. + +If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock +held and sp->do_auto_asconf is true, then an element is removed +from the auto_asconf_splist without any proper locking. + +This can happen in the following functions: +1. In sctp_accept, if sctp_sock_migrate fails. +2. In inet_create or inet6_create, if there is a bpf program + attached to BPF_CGROUP_INET_SOCK_CREATE which denies + creation of the sctp socket. + +The bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock +instead of sctp_close. + +This addresses CVE-2021-23133. + +Reported-by: Or Cohen +Reviewed-by: Xin Long +Fixes: 610236587600 ("bpf: Add new cgroup attach type to enable sock modifications") +Signed-off-by: Or Cohen +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1520,11 +1520,9 @@ static void sctp_close(struct sock *sk, + + /* Supposedly, no process has access to the socket, but + * the net layers still may. +- * Also, sctp_destroy_sock() needs to be called with addr_wq_lock +- * held and that should be grabbed before socket lock. + */ +- spin_lock_bh(&net->sctp.addr_wq_lock); +- bh_lock_sock_nested(sk); ++ local_bh_disable(); ++ bh_lock_sock(sk); + + /* Hold the sock, since sk_common_release() will put sock_put() + * and we have just a little more cleanup. +@@ -1533,7 +1531,7 @@ static void sctp_close(struct sock *sk, + sk_common_release(sk); + + bh_unlock_sock(sk); +- spin_unlock_bh(&net->sctp.addr_wq_lock); ++ local_bh_enable(); + + sock_put(sk); + +@@ -4993,9 +4991,6 @@ static int sctp_init_sock(struct sock *s + sk_sockets_allocated_inc(sk); + sock_prot_inuse_add(net, sk->sk_prot, 1); + +- /* Nothing can fail after this block, otherwise +- * sctp_destroy_sock() will be called without addr_wq_lock held +- */ + if (net->sctp.default_auto_asconf) { + spin_lock(&sock_net(sk)->sctp.addr_wq_lock); + list_add_tail(&sp->auto_asconf_list, +@@ -5030,7 +5025,9 @@ static void sctp_destroy_sock(struct soc + + if (sp->do_auto_asconf) { + sp->do_auto_asconf = 0; ++ spin_lock_bh(&sock_net(sk)->sctp.addr_wq_lock); + list_del(&sp->auto_asconf_list); ++ spin_unlock_bh(&sock_net(sk)->sctp.addr_wq_lock); + } + sctp_endpoint_free(sp->ep); + local_bh_disable(); diff --git a/queue-5.11/series b/queue-5.11/series index a95e62e45ff..088745cbacf 100644 --- a/queue-5.11/series +++ b/queue-5.11/series @@ -52,3 +52,4 @@ drm-amd-display-add-missing-mask-for-dcn3.patch mac80211-clear-sta-fast_rx-when-sta-removed-from-4-a.patch virt_wifi-return-micros-for-bss-tsf-values.patch lib-fix-kconfig-dependency-on-arch_want_frame_pointe.patch +net-sctp-fix-race-condition-in-sctp_destroy_sock.patch -- 2.47.3