From d6cf881260ad57ecc213227f053835795dff4fea Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 18 Apr 2021 12:30:15 +0200 Subject: [PATCH] 5.4-stable patches added patches: net-sctp-fix-race-condition-in-sctp_destroy_sock.patch --- ...-race-condition-in-sctp_destroy_sock.patch | 80 +++++++++++++++++++ queue-5.4/series | 1 + 2 files changed, 81 insertions(+) create mode 100644 queue-5.4/net-sctp-fix-race-condition-in-sctp_destroy_sock.patch diff --git a/queue-5.4/net-sctp-fix-race-condition-in-sctp_destroy_sock.patch b/queue-5.4/net-sctp-fix-race-condition-in-sctp_destroy_sock.patch new file mode 100644 index 00000000000..dacd026bcd0 --- /dev/null +++ b/queue-5.4/net-sctp-fix-race-condition-in-sctp_destroy_sock.patch @@ -0,0 +1,80 @@ +From b166a20b07382b8bc1dcee2a448715c9c2c81b5b Mon Sep 17 00:00:00 2001 +From: Or Cohen +Date: Tue, 13 Apr 2021 21:10:31 +0300 +Subject: net/sctp: fix race condition in sctp_destroy_sock + +From: Or Cohen + +commit b166a20b07382b8bc1dcee2a448715c9c2c81b5b upstream. + +If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock +held and sp->do_auto_asconf is true, then an element is removed +from the auto_asconf_splist without any proper locking. + +This can happen in the following functions: +1. In sctp_accept, if sctp_sock_migrate fails. +2. In inet_create or inet6_create, if there is a bpf program + attached to BPF_CGROUP_INET_SOCK_CREATE which denies + creation of the sctp socket. + +The bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock +instead of sctp_close. + +This addresses CVE-2021-23133. + +Reported-by: Or Cohen +Reviewed-by: Xin Long +Fixes: 610236587600 ("bpf: Add new cgroup attach type to enable sock modifications") +Signed-off-by: Or Cohen +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1539,11 +1539,9 @@ static void sctp_close(struct sock *sk, + + /* Supposedly, no process has access to the socket, but + * the net layers still may. +- * Also, sctp_destroy_sock() needs to be called with addr_wq_lock +- * held and that should be grabbed before socket lock. + */ +- spin_lock_bh(&net->sctp.addr_wq_lock); +- bh_lock_sock_nested(sk); ++ local_bh_disable(); ++ bh_lock_sock(sk); + + /* Hold the sock, since sk_common_release() will put sock_put() + * and we have just a little more cleanup. +@@ -1552,7 +1550,7 @@ static void sctp_close(struct sock *sk, + sk_common_release(sk); + + bh_unlock_sock(sk); +- spin_unlock_bh(&net->sctp.addr_wq_lock); ++ local_bh_enable(); + + sock_put(sk); + +@@ -5115,9 +5113,6 @@ static int sctp_init_sock(struct sock *s + sk_sockets_allocated_inc(sk); + sock_prot_inuse_add(net, sk->sk_prot, 1); + +- /* Nothing can fail after this block, otherwise +- * sctp_destroy_sock() will be called without addr_wq_lock held +- */ + if (net->sctp.default_auto_asconf) { + spin_lock(&sock_net(sk)->sctp.addr_wq_lock); + list_add_tail(&sp->auto_asconf_list, +@@ -5152,7 +5147,9 @@ static void sctp_destroy_sock(struct soc + + if (sp->do_auto_asconf) { + sp->do_auto_asconf = 0; ++ spin_lock_bh(&sock_net(sk)->sctp.addr_wq_lock); + list_del(&sp->auto_asconf_list); ++ spin_unlock_bh(&sock_net(sk)->sctp.addr_wq_lock); + } + sctp_endpoint_free(sp->ep); + local_bh_disable(); diff --git a/queue-5.4/series b/queue-5.4/series index 08db02912bc..ba6b7e645a0 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -6,6 +6,7 @@ scsi-qla2xxx-retry-plogi-on-fc-nvme-prli-failure.patch scsi-qla2xxx-add-a-shadow-variable-to-hold-disc_stat.patch scsi-qla2xxx-fix-stuck-login-session-using-prli_pend.patch scsi-qla2xxx-fix-fabric-scan-hang.patch +net-sctp-fix-race-condition-in-sctp_destroy_sock.patch input-nspire-keypad-enable-interrupts-only-when-open.patch gpio-sysfs-obey-valid_mask.patch dmaengine-dw-make-it-dependent-to-has_iomem.patch -- 2.47.3