korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2025-01-21 05:14:52 +08:00
Code Issues Packages Projects Releases Wiki Activity
0356010d82
linux/include
History
Xin Long 0356010d82 sctp: bring inet(6)_skb_parm back to sctp_input_cb 
inet(6)_skb_parm was removed from sctp_input_cb by Commit a1dd2cf2f1
("sctp: allow changing transport encap_port by peer packets"), as it
thought sctp_input_cb->header is not used any more in SCTP.

syzbot reported a crash:

  [ ] BUG: KASAN: use-after-free in decode_session6+0xe7c/0x1580
  [ ]
  [ ] Call Trace:
  [ ]  <IRQ>
  [ ]  dump_stack+0x107/0x163
  [ ]  kasan_report.cold+0x1f/0x37
  [ ]  decode_session6+0xe7c/0x1580
  [ ]  __xfrm_policy_check+0x2fa/0x2850
  [ ]  sctp_rcv+0x12b0/0x2e30
  [ ]  sctp6_rcv+0x22/0x40
  [ ]  ip6_protocol_deliver_rcu+0x2e8/0x1680
  [ ]  ip6_input_finish+0x7f/0x160
  [ ]  ip6_input+0x9c/0xd0
  [ ]  ipv6_rcv+0x28e/0x3c0

It was caused by sctp_input_cb->header/IP6CB(skb) still used in sctp rx
path decode_session6() but some members overwritten by sctp6_rcv().

This patch is to fix it by bring inet(6)_skb_parm back to sctp_input_cb
and not overwriting it in sctp4/6_rcv() and sctp_udp_rcv().

Reported-by: syzbot+5be8aebb1b7dfa90ef31@syzkaller.appspotmail.com
Fixes: a1dd2cf2f1 ("sctp: allow changing transport encap_port by peer packets")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Link: https://lore.kernel.org/r/136c1a7a419341487c504be6d1996928d9d16e02.1604472932.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2020-11-05 14:27:30 -08:00
..
acpi pci-v5.10-changes 2020-10-22 12:41:00 -07:00
asm-generic vmlinux.lds.h: Keep .ctors.* with .ctors 2020-10-27 11:13:41 -07:00
clocksource
crypto X.509: Fix modular build of public_key_sm2 2020-10-08 16:39:14 +11:00
drm sound updates for 5.10 2020-10-15 11:07:44 -07:00
dt-bindings ARM: Devicetree updates 2020-10-24 10:44:18 -07:00
keys
kunit treewide: Convert macro and uses of __section(foo) to __section("foo") 2020-10-25 14:51:49 -07:00
kvm ARM: 2020-10-23 11:17:56 -07:00
linux net: dsa: Add DSA driver for Hirschmann Hellcreek switches 2020-11-05 14:04:49 -08:00
math-emu
media ARM: SoC platform updates 2020-10-24 10:33:08 -07:00
memory
misc
net sctp: bring inet(6)_skb_parm back to sctp_input_cb 2020-11-05 14:27:30 -08:00
pcmcia
ras mm,hwpoison: introduce MF_MSG_UNSPLIT_THP 2020-10-16 11:11:17 -07:00
rdma RDMA: Add rdma_connect_locked() 2020-10-28 09:14:49 -03:00
scsi SCSI misc on 20201023 2020-10-23 16:19:02 -07:00
soc soc/fsl/qbman: Add an argument to signal if NAPI processing is required. 2020-11-03 17:41:03 -08:00
sound ASoC: Updates for v5.10 2020-10-12 16:08:57 +02:00
target
trace afs: Fix afs_invalidatepage to adjust the dirty region 2020-10-29 13:53:04 +00:00
uapi net: sched: implement action-specific terse dump 2020-11-05 08:27:43 -08:00
vdso
video
xen xen: branch for v5.10-rc1c 2020-10-25 10:55:35 -07:00