• Marcelo Ricardo Leitner's avatar
    sctp: fix ASCONF list handling · a43e8e87
    Marcelo Ricardo Leitner authored
    [ Upstream commit 2d45a02d ]
    
    ->auto_asconf_splist is per namespace and mangled by functions like
    sctp_setsockopt_auto_asconf() which doesn't guarantee any serialization.
    
    Also, the call to inet_sk_copy_descendant() was backuping
    ->auto_asconf_list through the copy but was not honoring
    ->do_auto_asconf, which could lead to list corruption if it was
    different between both sockets.
    
    This commit thus fixes the list handling by using ->addr_wq_lock
    spinlock to protect the list. A special handling is done upon socket
    creation and destruction for that. Error handlig on sctp_init_sock()
    will never return an error after having initialized asconf, so
    sctp_destroy_sock() can be called without addrq_wq_lock. The lock now
    will be take on sctp_close_sock(), before locking the socket, so we
    don't do it in inverse order compared to sctp_addr_wq_timeout_handler().
    
    Instead of taking the lock on sctp_sock_migrate() for copying and
    restoring the list values, it's preferred to avoid rewritting it by
    implementing sctp_copy_descendant().
    
    Issue was found with a test application that kept flipping sysctl
    default_auto_asconf on and off, but one could trigger it by issuing
    simultaneous setsockopt() calls on multiple sockets or by
    creating/destroying sockets fast enough. This is only triggerable
    locally.
    
    Fixes: 9f7d653b ("sctp: Add Auto-ASCONF support (core).")
    Reported-by: default avatarJi Jianwen <jiji@redhat.com>
    Suggested-by: default avatarNeil Horman <nhorman@tuxdriver.com>
    Suggested-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
    Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Cc: Moritz Mühlenhoff <jmm@inutil.org>
    Reference: CVE-2015-3212
    Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
    a43e8e87
sctp.h 3.57 KB