linux-hardened/net/sctp
Xin Long 715f5552b1 sctp: hold the transport before using it in sctp_hash_cmp
Since commit 4f00878126 ("sctp: apply rhashtable api to send/recv
path"), sctp uses transport rhashtable with .obj_cmpfn sctp_hash_cmp,
in which it compares the members of the transport with the rhashtable
args to check if it's the right transport.

But sctp uses the transport without holding it in sctp_hash_cmp, it can
cause a use-after-free panic. As after it gets transport from hashtable,
another CPU may close the sk and free the asoc. In sctp_association_free,
it frees all the transports, meanwhile, the assoc's refcnt may be reduced
to 0, assoc can be destroyed by sctp_association_destroy.

So after that, transport->assoc is actually an unavailable memory address
in sctp_hash_cmp. Although sctp_hash_cmp is under rcu_read_lock, it still
can not avoid this, as assoc is not freed by RCU.

This patch is to hold the transport before checking it's members with
sctp_transport_hold, in which it checks the refcnt first, holds it if
it's not 0.

Fixes: 4f00878126 ("sctp: apply rhashtable api to send/recv path")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-09-13 11:44:58 -04:00
..
associola.c sctp: add SCTP_PR_SUPPORTED on sctp sockopt 2016-07-11 13:25:38 -07:00
auth.c sctp: Use shash 2016-01-27 20:36:15 +08:00
bind_addr.c sctp: fix copying more bytes than expected in sctp_add_bind_addr 2016-03-08 15:04:08 -05:00
chunk.c sctp: implement prsctp PRIO policy 2016-07-11 13:25:39 -07:00
debug.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
endpointola.c sctp: add SCTP_PR_SUPPORTED on sctp sockopt 2016-07-11 13:25:38 -07:00
input.c sctp: hold the transport before using it in sctp_hash_cmp 2016-09-13 11:44:58 -04:00
inqueue.c sctp: linearize early if it's not GSO 2016-08-19 17:09:42 -07:00
ipv6.c sctp: use inet_recvmsg to support sctp RFS well 2016-07-25 10:56:28 -07:00
Kconfig sctp: add the sctp_diag.c file 2016-04-15 17:29:36 -04:00
Makefile sctp: Add GSO support 2016-06-03 19:37:21 -04:00
objcnt.c sctp: fix checkpatch errors with (foo*)|foo * bar|foo* bar 2013-12-26 13:47:47 -05:00
offload.c sctp: fix GSO for IPv6 2016-07-16 22:02:09 -07:00
output.c sctp: identify chunks that need to be fragmented at IP level 2016-09-09 19:18:33 -07:00
outqueue.c sctp: implement prsctp PRIO policy 2016-07-11 13:25:39 -07:00
primitive.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
probe.c net: sctp: Convert log timestamps to be y2038 safe 2016-03-01 17:18:44 -05:00
proc.c net/sctp: always initialise sctp_ht_iter::start_fail 2016-08-13 15:10:16 -07:00
protocol.c sctp: use inet_recvmsg to support sctp RFS well 2016-07-25 10:56:28 -07:00
sctp_diag.c sctp: fix overrun in sctp_diag_dump_one() 2016-08-23 17:22:53 -07:00
sm_make_chunk.c sctp: avoid identifying address family many times for a chunk 2016-07-13 18:10:14 -07:00
sm_sideeffect.c sctp: sctp should change socket state when shutdown is received 2016-06-10 23:21:23 -07:00
sm_statefuns.c sctp: only check for ECN if peer is using it 2016-07-13 18:10:14 -07:00
sm_statetable.c sctp: fix checkpatch errors with indent 2013-12-26 13:47:48 -05:00
socket.c sctp: allow receiving msg when TCP-style sk is in CLOSED state 2016-07-30 22:06:22 -07:00
ssnmap.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
sysctl.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-01-11 23:55:43 -05:00
transport.c sctp: avoid refreshing heartbeat timer too often 2016-04-10 22:22:34 -04:00
tsnmap.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
ulpevent.c sctp: use event->chunk when it's valid 2016-08-08 14:31:23 -07:00
ulpqueue.c sctp: allow delivering notifications after receiving SHUTDOWN 2016-07-30 22:06:22 -07:00