--- /dev/null
+From f5a9e82d56407b5ba1f6b7001ce545b52cf4b602 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 07:42:46 -0400
+Subject: sctp: add vtag check in sctp_sf_do_8_5_1_E_sa
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit ef16b1734f0a176277b7bb9c71a6d977a6ef3998 ]
+
+sctp_sf_do_8_5_1_E_sa() is called when processing SHUTDOWN_ACK chunk
+in cookie_wait and cookie_echoed state.
+
+The vtag in the chunk's sctphdr should be verified, otherwise, as
+later in chunk length check, it may send abort with the existent
+asoc's vtag, which can be exploited by one to cook a malicious
+chunk to terminate a SCTP asoc.
+
+Note that when fails to verify the vtag from SHUTDOWN-ACK chunk,
+SHUTDOWN COMPLETE message will still be sent back to peer, but
+with the vtag from SHUTDOWN-ACK chunk, as said in 5) of
+rfc4960#section-8.4.
+
+While at it, also remove the unnecessary chunk length check from
+sctp_sf_shut_8_4_5(), as it's already done in both places where
+it calls sctp_sf_shut_8_4_5().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_statefuns.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index a4874b55faab..2995d00bd5d0 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -3698,12 +3698,6 @@ static enum sctp_disposition sctp_sf_shut_8_4_5(
+
+ SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
+
+- /* If the chunk length is invalid, we don't want to process
+- * the reset of the packet.
+- */
+- if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
+- return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+-
+ /* We need to discard the rest of the packet to prevent
+ * potential bomming attacks from additional bundled chunks.
+ * This is documented in SCTP Threats ID.
+@@ -3731,6 +3725,9 @@ enum sctp_disposition sctp_sf_do_8_5_1_E_sa(struct net *net,
+ {
+ struct sctp_chunk *chunk = arg;
+
++ if (!sctp_vtag_verify(chunk, asoc))
++ asoc = NULL;
++
+ /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
+ if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
+ return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
+--
+2.33.0
+
--- /dev/null
+From e3f3ccd39d4b5e301d7c4664241cbdafa8e69f8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 07:42:47 -0400
+Subject: sctp: add vtag check in sctp_sf_ootb
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 9d02831e517aa36ee6bdb453a0eb47bd49923fe3 ]
+
+sctp_sf_ootb() is called when processing DATA chunk in closed state,
+and many other places are also using it.
+
+The vtag in the chunk's sctphdr should be verified, otherwise, as
+later in chunk length check, it may send abort with the existent
+asoc's vtag, which can be exploited by one to cook a malicious
+chunk to terminate a SCTP asoc.
+
+When fails to verify the vtag from the chunk, this patch sets asoc
+to NULL, so that the abort will be made with the vtag from the
+received chunk later.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_statefuns.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index 2995d00bd5d0..ebca069064df 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -3583,6 +3583,9 @@ enum sctp_disposition sctp_sf_ootb(struct net *net,
+
+ SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
+
++ if (asoc && !sctp_vtag_verify(chunk, asoc))
++ asoc = NULL;
++
+ ch = (struct sctp_chunkhdr *)chunk->chunk_hdr;
+ do {
+ /* Report violation if the chunk is less then minimal */
+--
+2.33.0
+
--- /dev/null
+From 3fe67fb7a5a129c0a06ccd4f3c9ff701ffa0ffe3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 07:42:45 -0400
+Subject: sctp: add vtag check in sctp_sf_violation
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit aa0f697e45286a6b5f0ceca9418acf54b9099d99 ]
+
+sctp_sf_violation() is called when processing HEARTBEAT_ACK chunk
+in cookie_wait state, and some other places are also using it.
+
+The vtag in the chunk's sctphdr should be verified, otherwise, as
+later in chunk length check, it may send abort with the existent
+asoc's vtag, which can be exploited by one to cook a malicious
+chunk to terminate a SCTP asoc.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_statefuns.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index e93aa08d2a78..a4874b55faab 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -4561,6 +4561,9 @@ enum sctp_disposition sctp_sf_violation(struct net *net,
+ {
+ struct sctp_chunk *chunk = arg;
+
++ if (!sctp_vtag_verify(chunk, asoc))
++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
++
+ /* Make sure that the chunk has a valid length. */
+ if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
+ return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
+--
+2.33.0
+
--- /dev/null
+From 4869dcbea9ead6cec9d68758e3905d7f016e6335 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 07:42:44 -0400
+Subject: sctp: fix the processing for COOKIE_ECHO chunk
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit a64b341b8695e1c744dd972b39868371b4f68f83 ]
+
+1. In closed state: in sctp_sf_do_5_1D_ce():
+
+ When asoc is NULL, making packet for abort will use chunk's vtag
+ in sctp_ootb_pkt_new(). But when asoc exists, vtag from the chunk
+ should be verified before using peer.i.init_tag to make packet
+ for abort in sctp_ootb_pkt_new(), and just discard it if vtag is
+ not correct.
+
+2. In the other states: in sctp_sf_do_5_2_4_dupcook():
+
+ asoc always exists, but duplicate cookie_echo's vtag will be
+ handled by sctp_tietags_compare() and then take actions, so before
+ that we only verify the vtag for the abort sent for invalid chunk
+ length.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_statefuns.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index f57fbe79490a..e93aa08d2a78 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -712,6 +712,9 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
+ struct sock *sk;
+ int error = 0;
+
++ if (asoc && !sctp_vtag_verify(chunk, asoc))
++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
++
+ /* If the packet is an OOTB packet which is temporarily on the
+ * control endpoint, respond with an ABORT.
+ */
+@@ -726,7 +729,8 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
+ * in sctp_unpack_cookie().
+ */
+ if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
+- return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
++ return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
++ commands);
+
+ /* If the endpoint is not listening or if the number of associations
+ * on the TCP-style socket exceed the max backlog, respond with an
+@@ -2156,9 +2160,11 @@ enum sctp_disposition sctp_sf_do_5_2_4_dupcook(
+ * enough for the chunk header. Cookie length verification is
+ * done later.
+ */
+- if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
+- return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
+- commands);
++ if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) {
++ if (!sctp_vtag_verify(chunk, asoc))
++ asoc = NULL;
++ return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, commands);
++ }
+
+ /* "Decode" the chunk. We have no optional parameters so we
+ * are in good shape.
+--
+2.33.0
+
--- /dev/null
+From 342fae62386d47c6ebc4ca36f780aef7b8401218 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 07:42:41 -0400
+Subject: sctp: use init_tag from inithdr for ABORT chunk
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 4f7019c7eb33967eb87766e0e4602b5576873680 ]
+
+Currently Linux SCTP uses the verification tag of the existing SCTP
+asoc when failing to process and sending the packet with the ABORT
+chunk. This will result in the peer accepting the ABORT chunk and
+removing the SCTP asoc. One could exploit this to terminate a SCTP
+asoc.
+
+This patch is to fix it by always using the initiate tag of the
+received INIT chunk for the ABORT chunk to be sent.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_statefuns.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index be5ea5e8b19e..f57fbe79490a 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -6261,6 +6261,7 @@ static struct sctp_packet *sctp_ootb_pkt_new(
+ * yet.
+ */
+ switch (chunk->chunk_hdr->type) {
++ case SCTP_CID_INIT:
+ case SCTP_CID_INIT_ACK:
+ {
+ struct sctp_initack_chunk *initack;
+--
+2.33.0
+
net-ethernet-microchip-lan743x-fix-driver-crash-when-lan743x_pm_resume-fails.patch
net-ethernet-microchip-lan743x-fix-dma-allocation-failure-by-using-dma_set_mask_and_coherent.patch
net-nxp-lpc_eth.c-avoid-hang-when-bringing-interface-down.patch
+sctp-use-init_tag-from-inithdr-for-abort-chunk.patch
+sctp-fix-the-processing-for-cookie_echo-chunk.patch
+sctp-add-vtag-check-in-sctp_sf_violation.patch
+sctp-add-vtag-check-in-sctp_sf_do_8_5_1_e_sa.patch
+sctp-add-vtag-check-in-sctp_sf_ootb.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
