From: Sasha Levin Date: Sat, 30 Oct 2021 20:33:19 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v4.4.291~12 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=db38774b5022a35d542f3ac97f5a42318e22cae6;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/sctp-add-vtag-check-in-sctp_sf_do_8_5_1_e_sa.patch b/queue-4.19/sctp-add-vtag-check-in-sctp_sf_do_8_5_1_e_sa.patch new file mode 100644 index 00000000000..c1db06e4ef5 --- /dev/null +++ b/queue-4.19/sctp-add-vtag-check-in-sctp_sf_do_8_5_1_e_sa.patch @@ -0,0 +1,65 @@ +From f5a9e82d56407b5ba1f6b7001ce545b52cf4b602 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 07:42:46 -0400 +Subject: sctp: add vtag check in sctp_sf_do_8_5_1_E_sa + +From: Xin Long + +[ Upstream commit ef16b1734f0a176277b7bb9c71a6d977a6ef3998 ] + +sctp_sf_do_8_5_1_E_sa() is called when processing SHUTDOWN_ACK chunk +in cookie_wait and cookie_echoed state. + +The vtag in the chunk's sctphdr should be verified, otherwise, as +later in chunk length check, it may send abort with the existent +asoc's vtag, which can be exploited by one to cook a malicious +chunk to terminate a SCTP asoc. + +Note that when fails to verify the vtag from SHUTDOWN-ACK chunk, +SHUTDOWN COMPLETE message will still be sent back to peer, but +with the vtag from SHUTDOWN-ACK chunk, as said in 5) of +rfc4960#section-8.4. + +While at it, also remove the unnecessary chunk length check from +sctp_sf_shut_8_4_5(), as it's already done in both places where +it calls sctp_sf_shut_8_4_5(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index a4874b55faab..2995d00bd5d0 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -3698,12 +3698,6 @@ static enum sctp_disposition sctp_sf_shut_8_4_5( + + SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS); + +- /* If the chunk length is invalid, we don't want to process +- * the reset of the packet. +- */ +- if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) +- return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); +- + /* We need to discard the rest of the packet to prevent + * potential bomming attacks from additional bundled chunks. + * This is documented in SCTP Threats ID. +@@ -3731,6 +3725,9 @@ enum sctp_disposition sctp_sf_do_8_5_1_E_sa(struct net *net, + { + struct sctp_chunk *chunk = arg; + ++ if (!sctp_vtag_verify(chunk, asoc)) ++ asoc = NULL; ++ + /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ + if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) + return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, +-- +2.33.0 + diff --git a/queue-4.19/sctp-add-vtag-check-in-sctp_sf_ootb.patch b/queue-4.19/sctp-add-vtag-check-in-sctp_sf_ootb.patch new file mode 100644 index 00000000000..0151debd9d9 --- /dev/null +++ b/queue-4.19/sctp-add-vtag-check-in-sctp_sf_ootb.patch @@ -0,0 +1,47 @@ +From e3f3ccd39d4b5e301d7c4664241cbdafa8e69f8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 07:42:47 -0400 +Subject: sctp: add vtag check in sctp_sf_ootb + +From: Xin Long + +[ Upstream commit 9d02831e517aa36ee6bdb453a0eb47bd49923fe3 ] + +sctp_sf_ootb() is called when processing DATA chunk in closed state, +and many other places are also using it. + +The vtag in the chunk's sctphdr should be verified, otherwise, as +later in chunk length check, it may send abort with the existent +asoc's vtag, which can be exploited by one to cook a malicious +chunk to terminate a SCTP asoc. + +When fails to verify the vtag from the chunk, this patch sets asoc +to NULL, so that the abort will be made with the vtag from the +received chunk later. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index 2995d00bd5d0..ebca069064df 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -3583,6 +3583,9 @@ enum sctp_disposition sctp_sf_ootb(struct net *net, + + SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); + ++ if (asoc && !sctp_vtag_verify(chunk, asoc)) ++ asoc = NULL; ++ + ch = (struct sctp_chunkhdr *)chunk->chunk_hdr; + do { + /* Report violation if the chunk is less then minimal */ +-- +2.33.0 + diff --git a/queue-4.19/sctp-add-vtag-check-in-sctp_sf_violation.patch b/queue-4.19/sctp-add-vtag-check-in-sctp_sf_violation.patch new file mode 100644 index 00000000000..9e06dfc02a8 --- /dev/null +++ b/queue-4.19/sctp-add-vtag-check-in-sctp_sf_violation.patch @@ -0,0 +1,43 @@ +From 3fe67fb7a5a129c0a06ccd4f3c9ff701ffa0ffe3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 07:42:45 -0400 +Subject: sctp: add vtag check in sctp_sf_violation + +From: Xin Long + +[ Upstream commit aa0f697e45286a6b5f0ceca9418acf54b9099d99 ] + +sctp_sf_violation() is called when processing HEARTBEAT_ACK chunk +in cookie_wait state, and some other places are also using it. + +The vtag in the chunk's sctphdr should be verified, otherwise, as +later in chunk length check, it may send abort with the existent +asoc's vtag, which can be exploited by one to cook a malicious +chunk to terminate a SCTP asoc. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index e93aa08d2a78..a4874b55faab 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -4561,6 +4561,9 @@ enum sctp_disposition sctp_sf_violation(struct net *net, + { + struct sctp_chunk *chunk = arg; + ++ if (!sctp_vtag_verify(chunk, asoc)) ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ + /* Make sure that the chunk has a valid length. */ + if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) + return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, +-- +2.33.0 + diff --git a/queue-4.19/sctp-fix-the-processing-for-cookie_echo-chunk.patch b/queue-4.19/sctp-fix-the-processing-for-cookie_echo-chunk.patch new file mode 100644 index 00000000000..21378a9cfae --- /dev/null +++ b/queue-4.19/sctp-fix-the-processing-for-cookie_echo-chunk.patch @@ -0,0 +1,75 @@ +From 4869dcbea9ead6cec9d68758e3905d7f016e6335 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 07:42:44 -0400 +Subject: sctp: fix the processing for COOKIE_ECHO chunk + +From: Xin Long + +[ Upstream commit a64b341b8695e1c744dd972b39868371b4f68f83 ] + +1. In closed state: in sctp_sf_do_5_1D_ce(): + + When asoc is NULL, making packet for abort will use chunk's vtag + in sctp_ootb_pkt_new(). But when asoc exists, vtag from the chunk + should be verified before using peer.i.init_tag to make packet + for abort in sctp_ootb_pkt_new(), and just discard it if vtag is + not correct. + +2. In the other states: in sctp_sf_do_5_2_4_dupcook(): + + asoc always exists, but duplicate cookie_echo's vtag will be + handled by sctp_tietags_compare() and then take actions, so before + that we only verify the vtag for the abort sent for invalid chunk + length. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index f57fbe79490a..e93aa08d2a78 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -712,6 +712,9 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, + struct sock *sk; + int error = 0; + ++ if (asoc && !sctp_vtag_verify(chunk, asoc)) ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ + /* If the packet is an OOTB packet which is temporarily on the + * control endpoint, respond with an ABORT. + */ +@@ -726,7 +729,8 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, + * in sctp_unpack_cookie(). + */ + if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) +- return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, ++ commands); + + /* If the endpoint is not listening or if the number of associations + * on the TCP-style socket exceed the max backlog, respond with an +@@ -2156,9 +2160,11 @@ enum sctp_disposition sctp_sf_do_5_2_4_dupcook( + * enough for the chunk header. Cookie length verification is + * done later. + */ +- if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) +- return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, +- commands); ++ if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) { ++ if (!sctp_vtag_verify(chunk, asoc)) ++ asoc = NULL; ++ return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, commands); ++ } + + /* "Decode" the chunk. We have no optional parameters so we + * are in good shape. +-- +2.33.0 + diff --git a/queue-4.19/sctp-use-init_tag-from-inithdr-for-abort-chunk.patch b/queue-4.19/sctp-use-init_tag-from-inithdr-for-abort-chunk.patch new file mode 100644 index 00000000000..4ffe9c4e3d7 --- /dev/null +++ b/queue-4.19/sctp-use-init_tag-from-inithdr-for-abort-chunk.patch @@ -0,0 +1,42 @@ +From 342fae62386d47c6ebc4ca36f780aef7b8401218 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 07:42:41 -0400 +Subject: sctp: use init_tag from inithdr for ABORT chunk + +From: Xin Long + +[ Upstream commit 4f7019c7eb33967eb87766e0e4602b5576873680 ] + +Currently Linux SCTP uses the verification tag of the existing SCTP +asoc when failing to process and sending the packet with the ABORT +chunk. This will result in the peer accepting the ABORT chunk and +removing the SCTP asoc. One could exploit this to terminate a SCTP +asoc. + +This patch is to fix it by always using the initiate tag of the +received INIT chunk for the ABORT chunk to be sent. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index be5ea5e8b19e..f57fbe79490a 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -6261,6 +6261,7 @@ static struct sctp_packet *sctp_ootb_pkt_new( + * yet. + */ + switch (chunk->chunk_hdr->type) { ++ case SCTP_CID_INIT: + case SCTP_CID_INIT_ACK: + { + struct sctp_initack_chunk *initack; +-- +2.33.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 74b07e4ee16..e1861cc97f5 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -28,3 +28,8 @@ nios2-make-nios2_dtb_source_bool-depend-on-compile_test.patch net-ethernet-microchip-lan743x-fix-driver-crash-when-lan743x_pm_resume-fails.patch net-ethernet-microchip-lan743x-fix-dma-allocation-failure-by-using-dma_set_mask_and_coherent.patch net-nxp-lpc_eth.c-avoid-hang-when-bringing-interface-down.patch +sctp-use-init_tag-from-inithdr-for-abort-chunk.patch +sctp-fix-the-processing-for-cookie_echo-chunk.patch +sctp-add-vtag-check-in-sctp_sf_violation.patch +sctp-add-vtag-check-in-sctp_sf_do_8_5_1_e_sa.patch +sctp-add-vtag-check-in-sctp_sf_ootb.patch