From: Sasha Levin Date: Sat, 30 Oct 2021 20:33:21 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v4.4.291~9 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1afbb745bbcb2550e61b637b03597afa16b266b3;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/sctp-add-vtag-check-in-sctp_sf_violation.patch b/queue-4.4/sctp-add-vtag-check-in-sctp_sf_violation.patch new file mode 100644 index 00000000000..c4b28568f77 --- /dev/null +++ b/queue-4.4/sctp-add-vtag-check-in-sctp_sf_violation.patch @@ -0,0 +1,43 @@ +From de16284cee25224f74220698ef7addd058fcc102 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 07:42:45 -0400 +Subject: sctp: add vtag check in sctp_sf_violation + +From: Xin Long + +[ Upstream commit aa0f697e45286a6b5f0ceca9418acf54b9099d99 ] + +sctp_sf_violation() is called when processing HEARTBEAT_ACK chunk +in cookie_wait state, and some other places are also using it. + +The vtag in the chunk's sctphdr should be verified, otherwise, as +later in chunk length check, it may send abort with the existent +asoc's vtag, which can be exploited by one to cook a malicious +chunk to terminate a SCTP asoc. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index b83f90bb1a6e..53bb631ec490 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -4337,6 +4337,9 @@ sctp_disposition_t sctp_sf_violation(struct net *net, + { + struct sctp_chunk *chunk = arg; + ++ if (!sctp_vtag_verify(chunk, asoc)) ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ + /* Make sure that the chunk has a valid length. */ + if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) + return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, +-- +2.33.0 + diff --git a/queue-4.4/sctp-use-init_tag-from-inithdr-for-abort-chunk.patch b/queue-4.4/sctp-use-init_tag-from-inithdr-for-abort-chunk.patch new file mode 100644 index 00000000000..8884aaf7e3a --- /dev/null +++ b/queue-4.4/sctp-use-init_tag-from-inithdr-for-abort-chunk.patch @@ -0,0 +1,42 @@ +From bb80891918c5653ea9ecb4abdc464c228ffc4a21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 07:42:41 -0400 +Subject: sctp: use init_tag from inithdr for ABORT chunk + +From: Xin Long + +[ Upstream commit 4f7019c7eb33967eb87766e0e4602b5576873680 ] + +Currently Linux SCTP uses the verification tag of the existing SCTP +asoc when failing to process and sending the packet with the ABORT +chunk. This will result in the peer accepting the ABORT chunk and +removing the SCTP asoc. One could exploit this to terminate a SCTP +asoc. + +This patch is to fix it by always using the initiate tag of the +received INIT chunk for the ABORT chunk to be sent. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index a9ba6f2bb8c8..b83f90bb1a6e 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -6027,6 +6027,7 @@ static struct sctp_packet *sctp_ootb_pkt_new(struct net *net, + * yet. + */ + switch (chunk->chunk_hdr->type) { ++ case SCTP_CID_INIT: + case SCTP_CID_INIT_ACK: + { + sctp_initack_chunk_t *initack; +-- +2.33.0 + diff --git a/queue-4.4/series b/queue-4.4/series index 7165e17f9ef..e25c115421b 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -13,3 +13,5 @@ mmc-sdhci-map-more-voltage-level-to-sdhci_power_330.patch net-lan78xx-fix-division-by-zero-in-send-path.patch regmap-fix-possible-double-free-in-regcache_rbtree_exit.patch nios2-make-nios2_dtb_source_bool-depend-on-compile_test.patch +sctp-use-init_tag-from-inithdr-for-abort-chunk.patch +sctp-add-vtag-check-in-sctp_sf_violation.patch