From patchwork Tue Oct 16 18:18:17 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marcelo Ricardo Leitner X-Patchwork-Id: 984945 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="Xq88BuUr"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 42ZNq26PqBz9s8T for ; Wed, 17 Oct 2018 05:18:38 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727396AbeJQCKR (ORCPT ); Tue, 16 Oct 2018 22:10:17 -0400 Received: from mail-qt1-f193.google.com ([209.85.160.193]:45408 "EHLO mail-qt1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727006AbeJQCKR (ORCPT ); Tue, 16 Oct 2018 22:10:17 -0400 Received: by mail-qt1-f193.google.com with SMTP id e10-v6so26870552qtq.12; Tue, 16 Oct 2018 11:18:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=uhqWUTXTxa3+yd4tzgVv66UUIwfc2kJRCkRia7umDwo=; b=Xq88BuUrIb/M4/PEm6WovmwdkC3jT+c7yj+BSUS76xq8x8/v9Jow0xRLdiIMpLmYzr TFYtIXUFE7B8RLmjx67CjUKsuM2hBW+eVkgxjSWwK2mMwiXwtWUTWPFX17imEQQjHaLo 8thHNg4D7QJKERIKVqqyRAAYK+XzzZlIr00T6Mm5tuo3aXkHzZutZ+nuP63nc7W+8pCM V36oBMBc3vKlGYHkvHF0O/XihyQ/nmZnJMcv//fvRkDKLjJ9rTMRqyUZRJPEOiV6aeSv v99e3gDY58/nQsdmT8ppopmE5T10Q/iYno4/e9lsqqPFmvrsjzhhjTeLPiLjfl+PazNl DvPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=uhqWUTXTxa3+yd4tzgVv66UUIwfc2kJRCkRia7umDwo=; b=tYGHKYPfRjCA9u5NUhtYzFhUTc2bFw+eE2KCvPZWXKaQLBRCECGWUY1a6MCEst0LSl MDE4oG3O9Z8d8SqaBwfss8iPaknPA4zKO3pTwSR/lswH+HfgOMjBfBdhmHpt1wu1GR3j GVHj3N4ptv3g8aVv2i+ZBtPjHASAMrKgYWTPtmLcwgjBJ2eppWWMRneFW5RbvoFDjNbv bbYnjCOTyCyQG748d4D6wTExHVn1zt0dgKHXoB1lCUvK4fN53iJCfkJa0oeT94QLUNPk jJmYkFE2xg9vvhq5xk4LUmKq3W/Ctl7+ToWmyeh71F4tWP7edWufF2aNI1uSIPXBZFIr pFSQ== X-Gm-Message-State: ABuFfoiGb5nKXfvMfvqSa27rEOnX/DyzdZUBKYI0VevoAsddHqH2iTcE k770xzKVE0MGF3s6GZsLNIY= X-Google-Smtp-Source: ACcGV60ISCwIwgBjgM9RmTqalKJ1D1lsGNgJVzjU7xm0BgyaWwk7LtfGAyJfOmNUvCKLnZavwq8Eaw== X-Received: by 2002:ac8:3a82:: with SMTP id x2-v6mr21836473qte.342.1539713915549; Tue, 16 Oct 2018 11:18:35 -0700 (PDT) Received: from localhost.localdomain ([2001:1284:f019:479c:188f:821f:c423:9541]) by smtp.gmail.com with ESMTPSA id r78-v6sm10883713qki.16.2018.10.16.11.18.34 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 16 Oct 2018 11:18:34 -0700 (PDT) Received: by localhost.localdomain (Postfix, from userid 1000) id E7FF2180C52; Tue, 16 Oct 2018 15:18:31 -0300 (-03) From: Marcelo Ricardo Leitner To: netdev@vger.kernel.org Cc: linux-sctp@vger.kernel.org, Vlad Yasevich , Neil Horman , Dmitry Vyukov Subject: [PATCH net] sctp: fix race on sctp_id2asoc Date: Tue, 16 Oct 2018 15:18:17 -0300 Message-Id: <081e1546a92f5bde8bdef0366561ff0b8ddd9eb2.1539707812.git.mleitner@redhat.com> X-Mailer: git-send-email 2.17.1 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org syzbot reported an use-after-free involving sctp_id2asoc. Dmitry Vyukov helped to root cause it and it is because of reading the asoc after it was freed: CPU 1 CPU 2 (working on socket 1) (working on socket 2) sctp_association_destroy sctp_id2asoc spin lock grab the asoc from idr spin unlock spin lock remove asoc from idr spin unlock free(asoc) if asoc->base.sk != sk ... [*] This can only be hit if trying to fetch asocs from different sockets. As we have a single IDR for all asocs, in all SCTP sockets, their id is unique on the system. An application can try to send stuff on an id that matches on another socket, and the if in [*] will protect from such usage. But it didn't consider that as that asoc may belong to another socket, it may be freed in parallel (read: under another socket lock). We fix it by moving the checks in [*] into the protected region. This fixes it because the asoc cannot be freed while the lock is held. Reported-by: syzbot+c7dd55d7aec49d48e49a@syzkaller.appspotmail.com Acked-by: Dmitry Vyukov Signed-off-by: Marcelo Ricardo Leitner Acked-by: Neil Horman --- net/sctp/socket.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/net/sctp/socket.c b/net/sctp/socket.c index f73e9d38d5ba734d7ee3347e4015fd30d355bbfa..a7722f43aa69801c31409d4914c99946ee5533f5 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -271,11 +271,10 @@ struct sctp_association *sctp_id2assoc(struct sock *sk, sctp_assoc_t id) spin_lock_bh(&sctp_assocs_id_lock); asoc = (struct sctp_association *)idr_find(&sctp_assocs_id, (int)id); + if (asoc && (asoc->base.sk != sk || asoc->base.dead)) + asoc = NULL; spin_unlock_bh(&sctp_assocs_id_lock); - if (!asoc || (asoc->base.sk != sk) || asoc->base.dead) - return NULL; - return asoc; }