avoid BUG_ON on sctp_wait_for_sndbuf in kernel-net-sctp CVE-2017-5986 remote and do not peel off an assoc from one netns to another one in kernel-net-sctp CVE-2017-15115
asked 2017-12-13 07:57:46 +0200
This post is a wiki. Anyone with karma >75 is welcome to improve it.
Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state.
Backported Patch is available.
The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel before 4.14 does not check whether the intended netns is used in a peel-off action, which allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls.
Kernel-3.16 Patch and Kernel-3.2-Patch (bwh: Backported to 3.2: - Add #include <linux nsproxy.h=""> - Adjust context) are available.</linux>
file affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/sctp/socket.c lines 4218-4222; 6494-6500
so the patch should look like (maybe Add #include <linux nsproxy.h=""> if needed):</linux>
@@ -4218,6 +4218,10 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
struct sctp_af *af;
int err = 0;
+ /* Do not peel off from one netns to another one. */
+ if (!net_eq(current->nsproxy->net_ns, sock_net(sk)))
+ return -EINVAL;
+
if (!asoc)
return -EINVAL;
@@ -6494,7 +6494,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
*/
sctp_release_sock(sk);
current_timeo = schedule_timeout(current_timeo);
- BUG_ON(sk != asoc->base.sk);
+ if (sk != asoc->base.sk)
+ goto do_error;
sctp_lock_sock(sk);
*timeo_p = current_timeo;