Linux: CVE-2017-6353: sctp: deny peeloff operation on asocs with threads sleeping on it

[Salvatore Bonaccorso <carnil () debian org>]

Hi

Via the CVE webform, MITRE has assigned CVE-2017-6353 for:

https://marc.info/?l=linux-netdev&m=148785309416337&w=2

> Subject:    [PATCH net] sctp: deny peeloff operation on asocs with threads sleeping on it
> From:       Marcelo Ricardo Leitner <marcelo.leitner () gmail ! com>
> Date:       2017-02-23 12:31:18
>
> commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
> attempted to avoid a BUG_ON call when the association being used for a
> sendmsg() is blocked waiting for more sndbuf and another thread did a
> peeloff operation on such asoc, moving it to another socket.
>
> As Ben Hutchings noticed, then in such case it would return without
> locking back the socket and would cause two unlocks in a row.
>
> Further analysis also revealed that it could allow a double free if the
> application managed to peeloff the asoc that is created during the
> sendmsg call, because then sctp_sendmsg() would try to free the asoc
> that was created only for that call.
>
> This patch takes another approach. It will deny the peeloff operation
> if there is a thread sleeping on the asoc, so this situation doesn't
> exist anymore. This avoids the issues described above and also honors
> the syscalls that are already being handled (it can be multiple sendmsg
> calls).
>
> Joint work with Xin Long.
>
> Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
> Cc: Alexander Popov <alex.popov () linux com>
> Cc: Ben Hutchings <ben () decadent org uk>
> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner () gmail com>
> Signed-off-by: Xin Long <lucien.xin () gmail com>
> ---
> Hi, please consider this one for -stable too. Thanks
>
> net/sctp/socket.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index 1b5d669e30292a57ed57dd920d81be2a57f97b22..d04a8b66098c8a574642b026bff990ac64c21468 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -4734,6 +4734,12 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
>       if (!asoc)
>               return -EINVAL;
>
> +      /* If there is a thread waiting on more sndbuf space for
> +       * sending on this asoc, it cannot be peeled.
> +       */
> +      if (waitqueue_active(&asoc->wait))
> +              return -EBUSY;
> +
>       /* An association cannot be branched off from an already peeled-off
>        * socket, nor is this supported for tcp style sockets.
>        */
> @@ -7426,8 +7432,6 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
>                */
>               release_sock(sk);
>               current_timeo = schedule_timeout(current_timeo);
> -              if (sk != asoc->base.sk)
> -                      goto do_error;
>               lock_sock(sk);
>
>               *timeo_p = current_timeo;
> -- 
> 2.9.3

This was found while reviewing the fix of CVE-2017-5986 (2dcab5984841
("sctp: avoid BUG_ON on sctp_wait_for_sndbuf"))

Regards,
Salvatore