Skip to content

Commit 3930441

Browse files
CIQ Kernel Automationroxanan1996
authored andcommitted
sctp: handle the error returned from sctp_auth_asoc_init_active_key
jira VULN-158562 cve CVE-2022-50243 commit-author Xin Long <lucien.xin@gmail.com> commit 022152a When it returns an error from sctp_auth_asoc_init_active_key(), the active_key is actually not updated. The old sh_key will be freeed while it's still used as active key in asoc. Then an use-after-free will be triggered when sending patckets, as found by syzbot: sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 sctp_set_owner_w net/sctp/socket.c:132 [inline] sctp_sendmsg_to_asoc+0xbd5/0x1a20 net/sctp/socket.c:1863 sctp_sendmsg+0x1053/0x1d50 net/sctp/socket.c:2025 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:734 This patch is to fix it by not replacing the sh_key when it returns errors from sctp_auth_asoc_init_active_key() in sctp_auth_set_key(). For sctp_auth_set_active_key(), old active_key_id will be set back to asoc->active_key_id when the same thing happens. Fixes: 58acd10 ("sctp: update active_key for asoc when old key is being replaced") Reported-by: syzbot+a236dd8e9622ed8954a3@syzkaller.appspotmail.com Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 022152a) Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
1 parent f0f2e07 commit 3930441

1 file changed

Lines changed: 14 additions & 4 deletions

File tree

net/sctp/auth.c

Lines changed: 14 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -885,12 +885,17 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
885885
}
886886

887887
list_del_init(&shkey->key_list);
888-
sctp_auth_shkey_release(shkey);
889888
list_add(&cur_key->key_list, sh_keys);
890889

891-
if (asoc && asoc->active_key_id == auth_key->sca_keynumber)
892-
sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL);
890+
if (asoc && asoc->active_key_id == auth_key->sca_keynumber &&
891+
sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL)) {
892+
list_del_init(&cur_key->key_list);
893+
sctp_auth_shkey_release(cur_key);
894+
list_add(&shkey->key_list, sh_keys);
895+
return -ENOMEM;
896+
}
893897

898+
sctp_auth_shkey_release(shkey);
894899
return 0;
895900
}
896901

@@ -924,8 +929,13 @@ int sctp_auth_set_active_key(struct sctp_endpoint *ep,
924929
return -EINVAL;
925930

926931
if (asoc) {
932+
__u16 active_key_id = asoc->active_key_id;
933+
927934
asoc->active_key_id = key_id;
928-
sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL);
935+
if (sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL)) {
936+
asoc->active_key_id = active_key_id;
937+
return -ENOMEM;
938+
}
929939
} else
930940
ep->active_key_id = key_id;
931941

0 commit comments

Comments
 (0)