linux-stable/sctp at db0517ac659e0ac61b916cffc29564cf3ab58b0d - linux-stable - MyRedstone

Kernel/linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-16 18:26:42 +00:00

History

Or Cohen 301084de76 net/sctp: fix race condition in sctp_destroy_sock

commit b166a20b07382b8bc1dcee2a448715c9c2c81b5b upstream.

If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock
held and sp->do_auto_asconf is true, then an element is removed
from the auto_asconf_splist without any proper locking.

This can happen in the following functions:
1. In sctp_accept, if sctp_sock_migrate fails.
2. In inet_create or inet6_create, if there is a bpf program
   attached to BPF_CGROUP_INET_SOCK_CREATE which denies
   creation of the sctp socket.

The bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock
instead of sctp_close.

This addresses CVE-2021-23133.

Reported-by: Or Cohen <orcohen@paloaltonetworks.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Fixes: 610236587600 ("bpf: Add new cgroup attach type to enable sock modifications")
Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

2021-04-28 13:16:48 +02:00

..

associola.c

sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket

2020-06-30 23:17:05 -04:00

auth.c

sctp: fix sctp_auth_init_hmacs() error path

2020-10-14 10:31:23 +02:00

bind_addr.c

sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket

2020-06-30 23:17:05 -04:00

chunk.c

sctp: frag_point sanity check

2019-12-13 08:52:29 +01:00

debug.c

sctp: add SCTP_CID_I_DATA and SCTP_CID_I_FWD_TSN conversion in sctp_cname

2018-02-12 11:40:01 -05:00

diag.c

inet_diag: return classid for all socket types

2020-03-18 07:14:11 +01:00

endpointola.c

sctp: cache netns in sctp_ep_common

2019-12-05 09:21:32 +01:00

input.c

sctp: change to hold/put transport for proto_unreach_timer

2020-11-24 13:27:18 +01:00

inqueue.c

sctp: fix the issue that the cookie-ack with auth can't get processed

2018-05-02 11:15:33 -04:00

ipv6.c

net-ipv6: bugfix - raw & sctp - switch to ipv6_can_nonlocal_bind()

2021-04-14 08:22:33 +02:00

Kconfig

sctp: whitespace fixes

2018-07-24 14:10:42 -07:00

Makefile

sctp: rename sctp_diag.c as diag.c

2018-02-13 13:56:31 -05:00

objcnt.c

proc: introduce proc_create_seq{,_data}

2018-05-16 07:23:35 +02:00

offload.c

sctp: call gso_reset_checksum when computing checksum in sctp_gso_segment

2019-02-27 10:08:58 +01:00

output.c

sctp: increase sk_wmem_alloc when head->truesize is increased

2019-12-13 08:52:00 +01:00

outqueue.c

sctp: move trace_sctp_probe_path into sctp_outq_sack

2020-10-01 13:14:30 +02:00

primitive.c

sctp: remove the typedef sctp_subtype_t

2017-08-06 21:33:42 -07:00

proc.c

net: fix iteration for sctp transport seq_files

2021-02-23 15:00:58 +01:00

protocol.c

sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket

2020-06-30 23:17:05 -04:00

sm_make_chunk.c

sctp: Fix SHUTDOWN CTSN Ack in the peer restart case

2020-05-10 10:30:10 +02:00

sm_sideeffect.c

sctp: change to hold/put transport for proto_unreach_timer

2020-11-24 13:27:18 +01:00

sm_statefuns.c

sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed

2020-06-03 08:19:23 +02:00

sm_statetable.c

sctp: implement validate_ftsn for sctp_stream_interleave

2017-12-15 13:52:22 -05:00

socket.c

net/sctp: fix race condition in sctp_destroy_sock

2021-04-28 13:16:48 +02:00

stream_interleave.c

net/sctp: Make wrappers for accessing in/out streams

2018-08-11 12:25:15 -07:00

stream_sched_prio.c

net/sctp: Make wrappers for accessing in/out streams

2018-08-11 12:25:15 -07:00

stream_sched_rr.c

net/sctp: Make wrappers for accessing in/out streams

2018-08-11 12:25:15 -07:00

stream_sched.c

net/sctp: Make wrappers for accessing in/out streams

2018-08-11 12:25:15 -07:00

stream.c

sctp: shrink stream outq when fails to do addstream reconf

2020-07-31 18:37:48 +02:00

sysctl.c

sctp: support sysctl to allow users to use stream interleave

2017-12-15 13:52:22 -05:00

transport.c

sctp: change to hold/put transport for proto_unreach_timer

2020-11-24 13:27:18 +01:00

tsnmap.c

sctp: Fix FSF address in file headers

2013-12-06 12:37:56 -05:00

ulpevent.c

sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg

2018-05-10 17:48:36 -04:00

ulpqueue.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2017-12-22 11:16:31 -05:00