net-sctp: CVE-2015-1421

Fix slab corruption from use after free on INIT collisions Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1421 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/ ?id=43e39c2f63240f67a67b4060882f67dac1a6f339 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Zhenhua Luo <zhenhua.luo@nxp.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-12-15 13:57:31 +0100
committer: Zhenhua Luo <zhenhua.luo@nxp.com> 2015-12-21 13:56:09 +0800
commit: 3518613fa48ac30c20b67731c60acc92dd11abc1 (patch)
tree: 0ade7fc0b9462e1b41d3c1b3e6678a1bd488b72e
parent: 210e6d5bd15a7b6dede180e2c4a8f9d5d4484e92 (diff)
download: meta-fsl-ppc-3518613fa48ac30c20b67731c60acc92dd11abc1.tar.gz
2 files changed, 139 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/net-sctp-CVE-2015-1421.patch b/recipes-kernel/linux/files/net-sctp-CVE-2015-1421.patch
new file mode 100644
index 0000000..37e04f5
--- /dev/null
+++ b/recipes-kernel/linux/files/net-sctp-CVE-2015-1421.patch
@@ -0,0 +1,138 @@
+commit 43e39c2f63240f67a67b4060882f67dac1a6f339
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Thu, 22 Jan 2015 18:26:54 +0100
+Subject: net: sctp: fix slab corruption from use after free on INIT collisions
+[ Upstream commit 600ddd6825543962fb807884169e57b580dba208 ]
+When hitting an INIT collision case during the 4WHS with AUTH enabled, as
+already described in detail in commit 1be9a950c646 ("net: sctp: inherit
+auth_capable on INIT collisions"), it can happen that we occasionally
+still remotely trigger the following panic on server side which seems to
+have been uncovered after the fix from commit 1be9a950c646 ...
+[  533.876389] BUG: unable to handle kernel paging request at 00000000ffffffff
+[  533.913657] IP: [<ffffffff811ac385>] __kmalloc+0x95/0x230
+[  533.940559] PGD 5030f2067 PUD 0
+[  533.957104] Oops: 0000 [#1] SMP
+[  533.974283] Modules linked in: sctp mlx4_en [...]
+[  534.939704] Call Trace:
+[  534.951833]  [<ffffffff81294e30>] ? crypto_init_shash_ops+0x60/0xf0
+[  534.984213]  [<ffffffff81294e30>] crypto_init_shash_ops+0x60/0xf0
+[  535.015025]  [<ffffffff8128c8ed>] __crypto_alloc_tfm+0x6d/0x170
+[  535.045661]  [<ffffffff8128d12c>] crypto_alloc_base+0x4c/0xb0
+[  535.074593]  [<ffffffff8160bd42>] ? _raw_spin_lock_bh+0x12/0x50
+[  535.105239]  [<ffffffffa0418c11>] sctp_inet_listen+0x161/0x1e0 [sctp]
+[  535.138606]  [<ffffffff814e43bd>] SyS_listen+0x9d/0xb0
+[  535.166848]  [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b
+... or depending on the the application, for example this one:
+[ 1370.026490] BUG: unable to handle kernel paging request at 00000000ffffffff
+[ 1370.026506] IP: [<ffffffff811ab455>] kmem_cache_alloc+0x75/0x1d0
+[ 1370.054568] PGD 633c94067 PUD 0
+[ 1370.070446] Oops: 0000 [#1] SMP
+[ 1370.085010] Modules linked in: sctp kvm_amd kvm [...]
+[ 1370.963431] Call Trace:
+[ 1370.974632]  [<ffffffff8120f7cf>] ? SyS_epoll_ctl+0x53f/0x960
+[ 1371.000863]  [<ffffffff8120f7cf>] SyS_epoll_ctl+0x53f/0x960
+[ 1371.027154]  [<ffffffff812100d3>] ? anon_inode_getfile+0xd3/0x170
+[ 1371.054679]  [<ffffffff811e3d67>] ? __alloc_fd+0xa7/0x130
+[ 1371.080183]  [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b
+With slab debugging enabled, we can see that the poison has been overwritten:
+[  669.826368] BUG kmalloc-128 (Tainted: G        W     ): Poison overwritten
+[  669.826385] INFO: 0xffff880228b32e50-0xffff880228b32e50. First byte 0x6a instead of 0x6b
+[  669.826414] INFO: Allocated in sctp_auth_create_key+0x23/0x50 [sctp] age=3 cpu=0 pid=18494
+[  669.826424]  __slab_alloc+0x4bf/0x566
+[  669.826433]  __kmalloc+0x280/0x310
+[  669.826453]  sctp_auth_create_key+0x23/0x50 [sctp]
+[  669.826471]  sctp_auth_asoc_create_secret+0xcb/0x1e0 [sctp]
+[  669.826488]  sctp_auth_asoc_init_active_key+0x68/0xa0 [sctp]
+[  669.826505]  sctp_do_sm+0x29d/0x17c0 [sctp] [...]
+[  669.826629] INFO: Freed in kzfree+0x31/0x40 age=1 cpu=0 pid=18494
+[  669.826635]  __slab_free+0x39/0x2a8
+[  669.826643]  kfree+0x1d6/0x230
+[  669.826650]  kzfree+0x31/0x40
+[  669.826666]  sctp_auth_key_put+0x19/0x20 [sctp]
+[  669.826681]  sctp_assoc_update+0x1ee/0x2d0 [sctp]
+[  669.826695]  sctp_do_sm+0x674/0x17c0 [sctp]
+Since this only triggers in some collision-cases with AUTH, the problem at
+heart is that sctp_auth_key_put() on asoc->asoc_shared_key is called twice
+when having refcnt 1, once directly in sctp_assoc_update() and yet again
+from within sctp_auth_asoc_init_active_key() via sctp_assoc_update() on
+the already kzfree'd memory, which is also consistent with the observation
+of the poison decrease from 0x6b to 0x6a (note: the overwrite is detected
+at a later point in time when poison is checked on new allocation).
+Reference counting of auth keys revisited:
+Shared keys for AUTH chunks are being stored in endpoints and associations
+in endpoint_shared_keys list. On endpoint creation, a null key is being
+added; on association creation, all endpoint shared keys are being cached
+and thus cloned over to the association. struct sctp_shared_key only holds
+a pointer to the actual key bytes, that is, struct sctp_auth_bytes which
+keeps track of users internally through refcounting. Naturally, on assoc
+or enpoint destruction, sctp_shared_key are being destroyed directly and
+the reference on sctp_auth_bytes dropped.
+User space can add keys to either list via setsockopt(2) through struct
+sctp_authkey and by passing that to sctp_auth_set_key() which replaces or
+adds a new auth key. There, sctp_auth_create_key() creates a new sctp_auth_bytes
+with refcount 1 and in case of replacement drops the reference on the old
+sctp_auth_bytes. A key can be set active from user space through setsockopt()
+on the id via sctp_auth_set_active_key(), which iterates through either
+endpoint_shared_keys and in case of an assoc, invokes (one of various places)
+sctp_auth_asoc_init_active_key().
+sctp_auth_asoc_init_active_key() computes the actual secret from local's
+and peer's random, hmac and shared key parameters and returns a new key
+directly as sctp_auth_bytes, that is asoc->asoc_shared_key, plus drops
+the reference if there was a previous one. The secret, which where we
+eventually double drop the ref comes from sctp_auth_asoc_set_secret() with
+intitial refcount of 1, which also stays unchanged eventually in
+sctp_assoc_update(). This key is later being used for crypto layer to
+set the key for the hash in crypto_hash_setkey() from sctp_auth_calculate_hmac().
+To close the loop: asoc->asoc_shared_key is freshly allocated secret
+material and independant of the sctp_shared_key management keeping track
+of only shared keys in endpoints and assocs. Hence, also commit 4184b2a79a76
+("net: sctp: fix memory leak in auth key management") is independant of
+this bug here since it concerns a different layer (though same structures
+being used eventually). asoc->asoc_shared_key is reference dropped correctly
+on assoc destruction in sctp_association_free() and when active keys are
+being replaced in sctp_auth_asoc_init_active_key(), it always has a refcount
+of 1. Hence, it's freed prematurely in sctp_assoc_update(). Simple fix is
+to remove that sctp_auth_key_put() from there which fixes these panics.
+Fixes CVE-2015-1421
+Upstream-Status: Backport
+Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/sctp/associola.c | 1 -
+ 1 file changed, 1 deletion(-)
+diff --git a/net/sctp/associola.c b/net/sctp/associola.c
+index 737050f..88ca530 100644
+--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
+@@ -1282,7 +1282,6 @@ void sctp_assoc_update(struct sctp_association *asoc,
+        asoc->peer.peer_hmacs = new->peer.peer_hmacs;
+        new->peer.peer_hmacs = NULL;
+ 
+-       sctp_auth_key_put(asoc->asoc_shared_key);
+        sctp_auth_asoc_init_active_key(asoc, GFP_ATOMIC);
+ }
+ 
+-- 
+cgit v0.11.2
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index e89a289..8587b48 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -35,6 +35,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
    file://udp-CVE-2015-5364_CVE-2015-5366.patch \
    file://mm-CVE-2014-3122.patch \
    file://media-ttusb-dec-CVE-2014-8884.patch \
+    file://net-sctp-CVE-2015-1421.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-12-15 13:57:31 +0100
committer	Zhenhua Luo <zhenhua.luo@nxp.com>	2015-12-21 13:56:09 +0800
commit	3518613fa48ac30c20b67731c60acc92dd11abc1 (patch)
tree	0ade7fc0b9462e1b41d3c1b3e6678a1bd488b72e
parent	210e6d5bd15a7b6dede180e2c4a8f9d5d4484e92 (diff)
download	meta-fsl-ppc-3518613fa48ac30c20b67731c60acc92dd11abc1.tar.gz

diff --git a/recipes-kernel/linux/files/net-sctp-CVE-2015-1421.patch b/recipes-kernel/linux/files/net-sctp-CVE-2015-1421.patch new file mode 100644 index 0000000..37e04f5 --- /dev/null +++ b/recipes-kernel/linux/files/net-sctp-CVE-2015-1421.patch
@@ -0,0 +1,138 @@
		1	commit 43e39c2f63240f67a67b4060882f67dac1a6f339
		2	Author: Daniel Borkmann <dborkman@redhat.com>
		3	Date: Thu, 22 Jan 2015 18:26:54 +0100
		4	Subject: net: sctp: fix slab corruption from use after free on INIT collisions
		5
		6	[ Upstream commit 600ddd6825543962fb807884169e57b580dba208 ]
		7
		8	When hitting an INIT collision case during the 4WHS with AUTH enabled, as
		9	already described in detail in commit 1be9a950c646 ("net: sctp: inherit
		10	auth_capable on INIT collisions"), it can happen that we occasionally
		11	still remotely trigger the following panic on server side which seems to
		12	have been uncovered after the fix from commit 1be9a950c646 ...
		13
		14	[ 533.876389] BUG: unable to handle kernel paging request at 00000000ffffffff
		15	[ 533.913657] IP: [<ffffffff811ac385>] __kmalloc+0x95/0x230
		16	[ 533.940559] PGD 5030f2067 PUD 0
		17	[ 533.957104] Oops: 0000 [#1] SMP
		18	[ 533.974283] Modules linked in: sctp mlx4_en [...]
		19	[ 534.939704] Call Trace:
		20	[ 534.951833] [<ffffffff81294e30>] ? crypto_init_shash_ops+0x60/0xf0
		21	[ 534.984213] [<ffffffff81294e30>] crypto_init_shash_ops+0x60/0xf0
		22	[ 535.015025] [<ffffffff8128c8ed>] __crypto_alloc_tfm+0x6d/0x170
		23	[ 535.045661] [<ffffffff8128d12c>] crypto_alloc_base+0x4c/0xb0
		24	[ 535.074593] [<ffffffff8160bd42>] ? _raw_spin_lock_bh+0x12/0x50
		25	[ 535.105239] [<ffffffffa0418c11>] sctp_inet_listen+0x161/0x1e0 [sctp]
		26	[ 535.138606] [<ffffffff814e43bd>] SyS_listen+0x9d/0xb0
		27	[ 535.166848] [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b
		28
		29	... or depending on the the application, for example this one:
		30
		31	[ 1370.026490] BUG: unable to handle kernel paging request at 00000000ffffffff
		32	[ 1370.026506] IP: [<ffffffff811ab455>] kmem_cache_alloc+0x75/0x1d0
		33	[ 1370.054568] PGD 633c94067 PUD 0
		34	[ 1370.070446] Oops: 0000 [#1] SMP
		35	[ 1370.085010] Modules linked in: sctp kvm_amd kvm [...]
		36	[ 1370.963431] Call Trace:
		37	[ 1370.974632] [<ffffffff8120f7cf>] ? SyS_epoll_ctl+0x53f/0x960
		38	[ 1371.000863] [<ffffffff8120f7cf>] SyS_epoll_ctl+0x53f/0x960
		39	[ 1371.027154] [<ffffffff812100d3>] ? anon_inode_getfile+0xd3/0x170
		40	[ 1371.054679] [<ffffffff811e3d67>] ? __alloc_fd+0xa7/0x130
		41	[ 1371.080183] [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b
		42
		43	With slab debugging enabled, we can see that the poison has been overwritten:
		44
		45	[ 669.826368] BUG kmalloc-128 (Tainted: G W ): Poison overwritten
		46	[ 669.826385] INFO: 0xffff880228b32e50-0xffff880228b32e50. First byte 0x6a instead of 0x6b
		47	[ 669.826414] INFO: Allocated in sctp_auth_create_key+0x23/0x50 [sctp] age=3 cpu=0 pid=18494
		48	[ 669.826424] __slab_alloc+0x4bf/0x566
		49	[ 669.826433] __kmalloc+0x280/0x310
		50	[ 669.826453] sctp_auth_create_key+0x23/0x50 [sctp]
		51	[ 669.826471] sctp_auth_asoc_create_secret+0xcb/0x1e0 [sctp]
		52	[ 669.826488] sctp_auth_asoc_init_active_key+0x68/0xa0 [sctp]
		53	[ 669.826505] sctp_do_sm+0x29d/0x17c0 [sctp] [...]
		54	[ 669.826629] INFO: Freed in kzfree+0x31/0x40 age=1 cpu=0 pid=18494
		55	[ 669.826635] __slab_free+0x39/0x2a8
		56	[ 669.826643] kfree+0x1d6/0x230
		57	[ 669.826650] kzfree+0x31/0x40
		58	[ 669.826666] sctp_auth_key_put+0x19/0x20 [sctp]
		59	[ 669.826681] sctp_assoc_update+0x1ee/0x2d0 [sctp]
		60	[ 669.826695] sctp_do_sm+0x674/0x17c0 [sctp]
		61
		62	Since this only triggers in some collision-cases with AUTH, the problem at
		63	heart is that sctp_auth_key_put() on asoc->asoc_shared_key is called twice
		64	when having refcnt 1, once directly in sctp_assoc_update() and yet again
		65	from within sctp_auth_asoc_init_active_key() via sctp_assoc_update() on
		66	the already kzfree'd memory, which is also consistent with the observation
		67	of the poison decrease from 0x6b to 0x6a (note: the overwrite is detected
		68	at a later point in time when poison is checked on new allocation).
		69
		70	Reference counting of auth keys revisited:
		71
		72	Shared keys for AUTH chunks are being stored in endpoints and associations
		73	in endpoint_shared_keys list. On endpoint creation, a null key is being
		74	added; on association creation, all endpoint shared keys are being cached
		75	and thus cloned over to the association. struct sctp_shared_key only holds
		76	a pointer to the actual key bytes, that is, struct sctp_auth_bytes which
		77	keeps track of users internally through refcounting. Naturally, on assoc
		78	or enpoint destruction, sctp_shared_key are being destroyed directly and
		79	the reference on sctp_auth_bytes dropped.
		80
		81	User space can add keys to either list via setsockopt(2) through struct
		82	sctp_authkey and by passing that to sctp_auth_set_key() which replaces or
		83	adds a new auth key. There, sctp_auth_create_key() creates a new sctp_auth_bytes
		84	with refcount 1 and in case of replacement drops the reference on the old
		85	sctp_auth_bytes. A key can be set active from user space through setsockopt()
		86	on the id via sctp_auth_set_active_key(), which iterates through either
		87	endpoint_shared_keys and in case of an assoc, invokes (one of various places)
		88	sctp_auth_asoc_init_active_key().
		89
		90	sctp_auth_asoc_init_active_key() computes the actual secret from local's
		91	and peer's random, hmac and shared key parameters and returns a new key
		92	directly as sctp_auth_bytes, that is asoc->asoc_shared_key, plus drops
		93	the reference if there was a previous one. The secret, which where we
		94	eventually double drop the ref comes from sctp_auth_asoc_set_secret() with
		95	intitial refcount of 1, which also stays unchanged eventually in
		96	sctp_assoc_update(). This key is later being used for crypto layer to
		97	set the key for the hash in crypto_hash_setkey() from sctp_auth_calculate_hmac().
		98
		99	To close the loop: asoc->asoc_shared_key is freshly allocated secret
		100	material and independant of the sctp_shared_key management keeping track
		101	of only shared keys in endpoints and assocs. Hence, also commit 4184b2a79a76
		102	("net: sctp: fix memory leak in auth key management") is independant of
		103	this bug here since it concerns a different layer (though same structures
		104	being used eventually). asoc->asoc_shared_key is reference dropped correctly
		105	on assoc destruction in sctp_association_free() and when active keys are
		106	being replaced in sctp_auth_asoc_init_active_key(), it always has a refcount
		107	of 1. Hence, it's freed prematurely in sctp_assoc_update(). Simple fix is
		108	to remove that sctp_auth_key_put() from there which fixes these panics.
		109
		110	Fixes CVE-2015-1421
		111	Upstream-Status: Backport
		112
		113	Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
		114	Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
		115	Acked-by: Vlad Yasevich <vyasevich@gmail.com>
		116	Acked-by: Neil Horman <nhorman@tuxdriver.com>
		117	Signed-off-by: David S. Miller <davem@davemloft.net>
		118	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		119	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		120	---
		121	net/sctp/associola.c \| 1 -
		122	1 file changed, 1 deletion(-)
		123
		124	diff --git a/net/sctp/associola.c b/net/sctp/associola.c
		125	index 737050f..88ca530 100644
		126	--- a/net/sctp/associola.c
		127	+++ b/net/sctp/associola.c
		128	@@ -1282,7 +1282,6 @@ void sctp_assoc_update(struct sctp_association *asoc,
		129	asoc->peer.peer_hmacs = new->peer.peer_hmacs;
		130	new->peer.peer_hmacs = NULL;
		131
		132	- sctp_auth_key_put(asoc->asoc_shared_key);
		133	sctp_auth_asoc_init_active_key(asoc, GFP_ATOMIC);
		134	}
		135
		136	--
		137	cgit v0.11.2
		138


diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index e89a289..8587b48 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -35,6 +35,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
35	file://udp-CVE-2015-5364_CVE-2015-5366.patch \	35	file://udp-CVE-2015-5364_CVE-2015-5366.patch \
36	file://mm-CVE-2014-3122.patch \	36	file://mm-CVE-2014-3122.patch \
37	file://media-ttusb-dec-CVE-2014-8884.patch \	37	file://media-ttusb-dec-CVE-2014-8884.patch \
		38	file://net-sctp-CVE-2015-1421.patch \
38	"	39	"
39	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"	40	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
40		41