From patchwork Thu Nov 16 04:17:48 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Eric W. Biederman" <ebiederm@xmission.com>
X-Patchwork-Id: 838390
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3ycnzt0fH5z9s7g
	for <patchwork-incoming@ozlabs.org>;
	Thu, 16 Nov 2017 15:18:34 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1757707AbdKPESU (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 15 Nov 2017 23:18:20 -0500
Received: from out02.mta.xmission.com ([166.70.13.232]:39972 "EHLO
	out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753218AbdKPESR (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 15 Nov 2017 23:18:17 -0500
Received: from in01.mta.xmission.com ([166.70.13.51])
	by out02.mta.xmission.com with esmtps
	(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87)
	(envelope-from <ebiederm@xmission.com>)
	id 1eFBd2-0003Zz-1P; Wed, 15 Nov 2017 21:18:16 -0700
Received: from 75-170-119-32.omah.qwest.net ([75.170.119.32]
	helo=x220.xmission.com) by in01.mta.xmission.com with esmtpsa
	(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87)
	(envelope-from <ebiederm@xmission.com>)
	id 1eFBcv-0000zs-NV; Wed, 15 Nov 2017 21:18:15 -0700
From: ebiederm@xmission.com (Eric W. Biederman)
To: "David S. Miller" <davem@davemloft.net>
Cc: Kees Cook <keescook@chromium.org>, Eric Dumazet <eric.dumazet@gmail.com>,
	Kostya Serebryany <kcc@google.com>,
	Andrey Konovalov <andreyknvl@google.com>,
	Eric Dumazet <edumazet@google.com>,
	Network Development <netdev@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>, security@kernel.org,
	Alexander Potapenko <glider@google.com>,
	linux-sctp@vger.kernel.org, Neil Horman <nhorman@tuxdriver.com>,
	Vlad Yasevich <vyasevich@gmail.com>
References: <20171031161445.GA140874@beast>
	<1509471094.3828.26.camel@edumazet-glaptop3.roam.corp.google.com>
	<871slikvvf.fsf@xmission.com>
	<CAGXu5jJAepjBcLki0G-fa4JNH93szZAoWWFORvo3zxPWDQLjGQ@mail.gmail.com>
	<CAG_fn=UUB6ep_hdiQq7CyGUnc93R-13mGZERyM-yi3b11hLRdQ@mail.gmail.com>
Date: Wed, 15 Nov 2017 22:17:48 -0600
In-Reply-To: 
 <CAG_fn=UUB6ep_hdiQq7CyGUnc93R-13mGZERyM-yi3b11hLRdQ@mail.gmail.com>
	(Alexander Potapenko's message of "Wed, 15 Nov 2017 09:22:39 +0100")
Message-ID: <871skyzwk3.fsf_-_@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
X-XM-SPF: eid=1eFBcv-0000zs-NV; ; ; mid=<871skyzwk3.fsf_-_@xmission.com>; ; ;
	hst=in01.mta.xmission.com; ; ; ip=75.170.119.32; ; ;
	frm=ebiederm@xmission.com; ; ; spf=neutral
X-XM-AID: U2FsdGVkX1+gehSNRsNQgooP0/PmJncj24UuvY9stvU=
X-SA-Exim-Connect-IP: 75.170.119.32
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa06.xmission.com
X-Spam-Level: *
X-Spam-Status: No, score=1.0 required=8.0 tests=ALL_TRUSTED,BAYES_50,
	DCC_CHECK_NEGATIVE, TVD_RCVD_IP, T_TM2_M_HEADER_IN_MSG,
	T_TooManySym_01,
	XMGappySubj_01,XMSubLong autolearn=disabled version=3.4.1
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
	*  0.7 XMSubLong Long Subject
	*  0.5 XMGappySubj_01 Very gappy subject
	*  0.0 TVD_RCVD_IP Message was received from an IP address
	*  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
	*  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
	*      [score: 0.5000]
	* -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
	*      [sa06 1397; Body=1 Fuz1=1 Fuz2=1]
	*  0.0 T_TooManySym_01 4+ unique symbols in subject
X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: *;"David S. Miller" <davem@davemloft.net>
X-Spam-Relay-Country: 
X-Spam-Timing: total 5545 ms - load_scoreonly_sql: 0.06 (0.0%),
	signal_user_changed: 3.2 (0.1%), b_tie_ro: 2.2 (0.0%),
	parse: 1.12 (0.0%),
	extract_message_metadata: 13 (0.2%), get_uri_detail_list: 2.1 (0.0%),
	tests_pri_-1000: 6 (0.1%), tests_pri_-950: 1.21 (0.0%),
	tests_pri_-900: 1.01
	(0.0%), tests_pri_-400: 23 (0.4%), check_bayes: 22 (0.4%),
	b_tokenize: 8
	(0.1%), b_tok_get_all: 7 (0.1%), b_comp_prob: 2.2 (0.0%),
	b_tok_touch_all:
	3.4 (0.1%), b_finish: 0.67 (0.0%), tests_pri_0: 1260 (22.7%),
	check_dkim_signature: 0.62 (0.0%), check_dkim_adsp: 2.9 (0.1%),
	tests_pri_500: 4233 (76.3%), poll_dns_idle: 4224 (76.2%),
	rewrite_mail: 0.00 (0.0%)
Subject: [PATCH net] net/sctp: Always set scope_id in sctp_inet6_skb_msgname
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Alexandar Potapenko while testing the kernel with KMSAN and syzkaller
discovered that in some configurations sctp would leak 4 bytes of
kernel stack.

Working with his reproducer I discovered that those 4 bytes that
are leaked is the scope id of an ipv6 address returned by recvmsg.

With a little code inspection and a shrewd guess I discovered that
sctp_inet6_skb_msgname only initializes the scope_id field for link
local ipv6 addresses to the interface index the link local address
pertains to instead of initializing the scope_id field for all ipv6
addresses.

That is almost reasonable as scope_id's are meaniningful only for link
local addresses.  Set the scope_id in all other cases to 0 which is
not a valid interface index to make it clear there is nothing useful
in the scope_id field.

There should be no danger of breaking userspace as the stack leak
guaranteed that previously meaningless random data was being returned.

Cc: stable@vger.kernel.org
Fixes: 372f525b495c ("SCTP:  Resync with LKSCTP tree.")
History-tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Reported-by: Alexander Potapenko <glider@google.com>
Tested-by: Alexander Potapenko <glider@google.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
---
 net/sctp/ipv6.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index a6dfa86c0201..3b18085e3b10 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -807,9 +807,10 @@ static void sctp_inet6_skb_msgname(struct sk_buff *skb, char *msgname,
 		addr->v6.sin6_flowinfo = 0;
 		addr->v6.sin6_port = sh->source;
 		addr->v6.sin6_addr = ipv6_hdr(skb)->saddr;
-		if (ipv6_addr_type(&addr->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) {
+		if (ipv6_addr_type(&addr->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL)
 			addr->v6.sin6_scope_id = sctp_v6_skb_iif(skb);
-		}
+		else
+			addr->v6.sin6_scope_id = 0;
 	}
 
 	*addr_len = sctp_v6_addr_to_user(sctp_sk(skb->sk), addr);