avoid BUG_ON on sctp_wait_for_sndbuf in kernel-net-sctp CVE-2017-5986 remote and do not peel off an assoc from one netns to another one in kernel-net-sctp CVE-2017-15115

Tracked by Jolla (Rejected)

asked 2017-12-13 07:57:46 +0200

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2017-12-19 23:35:21 +0200

lpr gravatar image

Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state.

Backported Patch is available.

The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel before 4.14 does not check whether the intended netns is used in a peel-off action, which allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls.

Kernel-3.16 Patch and Kernel-3.2-Patch (bwh: Backported to 3.2: - Add #include <linux nsproxy.h=""> - Adjust context) are available.</linux>

file affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/sctp/socket.c lines 4218-4222; 6494-6500

so the patch should look like (maybe Add #include <linux nsproxy.h=""> if needed):</linux>

@@ -4218,6 +4218,10 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
struct sctp_af *af;
int err = 0;

+   /* Do not peel off from one netns to another one. */
+   if (!net_eq(current->nsproxy->net_ns, sock_net(sk)))
+       return -EINVAL;
+
if (!asoc)
    return -EINVAL;

@@ -6494,7 +6494,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
     */
    sctp_release_sock(sk);
    current_timeo = schedule_timeout(current_timeo);
-       BUG_ON(sk != asoc->base.sk);
+       if (sk != asoc->base.sk)
+           goto do_error;
    sctp_lock_sock(sk);

    *timeo_p = current_timeo;
edit retag flag offensive close delete