Home Home > GIT Browse > SLE12-SP4
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-07-18 08:26:13 +0200
committerJiri Slaby <jslaby@suse.cz>2019-07-18 09:30:36 +0200
commit19f2ac5590e2e7e189cf443f7d906e5aaebbd652 (patch)
tree0373b5fdd68bd788cf3856068ecb2b715f47f071
parent20fe9aa7b3fb10c2fc0bb58585cdb272a9883657 (diff)
Fix memory leak in sctp_process_init
(networking-stable-19_06_09).
-rw-r--r--patches.suse/Fix-memory-leak-in-sctp_process_init.patch123
-rw-r--r--series.conf1
2 files changed, 124 insertions, 0 deletions
diff --git a/patches.suse/Fix-memory-leak-in-sctp_process_init.patch b/patches.suse/Fix-memory-leak-in-sctp_process_init.patch
new file mode 100644
index 0000000000..1199e00203
--- /dev/null
+++ b/patches.suse/Fix-memory-leak-in-sctp_process_init.patch
@@ -0,0 +1,123 @@
+From: Neil Horman <nhorman@tuxdriver.com>
+Date: Mon, 3 Jun 2019 16:32:59 -0400
+Subject: Fix memory leak in sctp_process_init
+Git-commit: 0a8dd9f67cd0da7dc284f48b032ce00db1a68791
+Patch-mainline: 5.2-rc4
+References: networking-stable-19_06_09
+
+syzbot found the following leak in sctp_process_init
+BUG: memory leak
+unreferenced object 0xffff88810ef68400 (size 1024):
+ comm "syz-executor273", pid 7046, jiffies 4294945598 (age 28.770s)
+ hex dump (first 32 bytes):
+ 1d de 28 8d de 0b 1b e3 b5 c2 f9 68 fd 1a 97 25 ..(........h...%
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000a02cebbd>] kmemleak_alloc_recursive include/linux/kmemleak.h:55
+[inline]
+ [<00000000a02cebbd>] slab_post_alloc_hook mm/slab.h:439 [inline]
+ [<00000000a02cebbd>] slab_alloc mm/slab.c:3326 [inline]
+ [<00000000a02cebbd>] __do_kmalloc mm/slab.c:3658 [inline]
+ [<00000000a02cebbd>] __kmalloc_track_caller+0x15d/0x2c0 mm/slab.c:3675
+ [<000000009e6245e6>] kmemdup+0x27/0x60 mm/util.c:119
+ [<00000000dfdc5d2d>] kmemdup include/linux/string.h:432 [inline]
+ [<00000000dfdc5d2d>] sctp_process_init+0xa7e/0xc20
+net/sctp/sm_make_chunk.c:2437
+ [<00000000b58b62f8>] sctp_cmd_process_init net/sctp/sm_sideeffect.c:682
+[inline]
+ [<00000000b58b62f8>] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1384
+[inline]
+ [<00000000b58b62f8>] sctp_side_effects net/sctp/sm_sideeffect.c:1194
+[inline]
+ [<00000000b58b62f8>] sctp_do_sm+0xbdc/0x1d60 net/sctp/sm_sideeffect.c:1165
+ [<0000000044e11f96>] sctp_assoc_bh_rcv+0x13c/0x200
+net/sctp/associola.c:1074
+ [<00000000ec43804d>] sctp_inq_push+0x7f/0xb0 net/sctp/inqueue.c:95
+ [<00000000726aa954>] sctp_backlog_rcv+0x5e/0x2a0 net/sctp/input.c:354
+ [<00000000d9e249a8>] sk_backlog_rcv include/net/sock.h:950 [inline]
+ [<00000000d9e249a8>] __release_sock+0xab/0x110 net/core/sock.c:2418
+ [<00000000acae44fa>] release_sock+0x37/0xd0 net/core/sock.c:2934
+ [<00000000963cc9ae>] sctp_sendmsg+0x2c0/0x990 net/sctp/socket.c:2122
+ [<00000000a7fc7565>] inet_sendmsg+0x64/0x120 net/ipv4/af_inet.c:802
+ [<00000000b732cbd3>] sock_sendmsg_nosec net/socket.c:652 [inline]
+ [<00000000b732cbd3>] sock_sendmsg+0x54/0x70 net/socket.c:671
+ [<00000000274c57ab>] ___sys_sendmsg+0x393/0x3c0 net/socket.c:2292
+ [<000000008252aedb>] __sys_sendmsg+0x80/0xf0 net/socket.c:2330
+ [<00000000f7bf23d1>] __do_sys_sendmsg net/socket.c:2339 [inline]
+ [<00000000f7bf23d1>] __se_sys_sendmsg net/socket.c:2337 [inline]
+ [<00000000f7bf23d1>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2337
+ [<00000000a8b4131f>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:3
+
+The problem was that the peer.cookie value points to an skb allocated
+area on the first pass through this function, at which point it is
+overwritten with a heap allocated value, but in certain cases, where a
+COOKIE_ECHO chunk is included in the packet, a second pass through
+sctp_process_init is made, where the cookie value is re-allocated,
+leaking the first allocation.
+
+Fix is to always allocate the cookie value, and free it when we are done
+using it.
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
+CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+CC: "David S. Miller" <davem@davemloft.net>
+CC: netdev@vger.kernel.org
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/sctp/sm_make_chunk.c | 13 +++----------
+ net/sctp/sm_sideeffect.c | 5 +++++
+ 2 files changed, 8 insertions(+), 10 deletions(-)
+
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -2321,7 +2321,6 @@ int sctp_process_init(struct sctp_associ
+ struct list_head *pos, *temp;
+ struct sctp_af *af;
+ union sctp_addr addr;
+- char *cookie;
+ int src_match = 0;
+
+ /* We must include the address that the INIT packet came from.
+@@ -2426,14 +2425,6 @@ int sctp_process_init(struct sctp_associ
+ /* Peer Rwnd : Current calculated value of the peer's rwnd. */
+ asoc->peer.rwnd = asoc->peer.i.a_rwnd;
+
+- /* Copy cookie in case we need to resend COOKIE-ECHO. */
+- cookie = asoc->peer.cookie;
+- if (cookie) {
+- asoc->peer.cookie = kmemdup(cookie, asoc->peer.cookie_len, gfp);
+- if (!asoc->peer.cookie)
+- goto clean_up;
+- }
+-
+ /* RFC 2960 7.2.1 The initial value of ssthresh MAY be arbitrarily
+ * high (for example, implementations MAY use the size of the receiver
+ * advertised window).
+@@ -2599,7 +2590,9 @@ do_addr_param:
+ case SCTP_PARAM_STATE_COOKIE:
+ asoc->peer.cookie_len =
+ ntohs(param.p->length) - sizeof(sctp_paramhdr_t);
+- asoc->peer.cookie = param.cookie->body;
++ asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
++ if (!asoc->peer.cookie)
++ retval = 0;
+ break;
+
+ case SCTP_PARAM_HEARTBEAT_INFO:
+--- a/net/sctp/sm_sideeffect.c
++++ b/net/sctp/sm_sideeffect.c
+@@ -854,6 +854,11 @@ static void sctp_cmd_new_state(sctp_cmd_
+ asoc->rto_initial;
+ }
+
++ if (sctp_state(asoc, ESTABLISHED)) {
++ kfree(asoc->peer.cookie);
++ asoc->peer.cookie = NULL;
++ }
++
+ if (sctp_state(asoc, ESTABLISHED) ||
+ sctp_state(asoc, CLOSED) ||
+ sctp_state(asoc, SHUTDOWN_RECEIVED)) {
diff --git a/series.conf b/series.conf
index ad139d5628..373146ca3a 100644
--- a/series.conf
+++ b/series.conf
@@ -22709,6 +22709,7 @@
patches.arch/x86-cpu-amd-don-t-force-the-cpb-cap-when-running-under-a-hypervisor.patch
patches.fixes/fuse-fallocate-fix-return-with-locked-inode.patch
patches.fixes/s390-qeth-fix-vlan-attribute-in-bridge_hostnotify-udev-event
+ patches.suse/Fix-memory-leak-in-sctp_process_init.patch
patches.drivers/net-mvpp2-Use-strscpy-to-handle-stat-strings.patch
patches.fixes/pktgen-do-not-sleep-with-the-thread-lock-held.patch
patches.drivers/hwmon-core-add-thermal-sensors-only-if-dev-of_node-i.patch