git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/commit

author	Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
	Thu, 23 Feb 2017 12:31:18 +0000 (09:31 -0300)
committer	Tim Gardner <tim.gardner@canonical.com>
	Wed, 22 Mar 2017 13:29:58 +0000 (07:29 -0600)
commit	c0c71fce2a105555a6f66e7a76c5d25072a766d3
tree	b8f470d79cd53fe2ee0e052b63c342e64052b09f	tree
parent	d070400580504c1e93f20e63600b94e89bf814ed	commit \| diff

sctp: deny peeloff operation on asocs with threads sleeping on it

CVE-CVE-2017-5986

commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
attempted to avoid a BUG_ON call when the association being used for a
sendmsg() is blocked waiting for more sndbuf and another thread did a
peeloff operation on such asoc, moving it to another socket.

As Ben Hutchings noticed, then in such case it would return without
locking back the socket and would cause two unlocks in a row.

Further analysis also revealed that it could allow a double free if the
application managed to peeloff the asoc that is created during the
sendmsg call, because then sctp_sendmsg() would try to free the asoc
that was created only for that call.

This patch takes another approach. It will deny the peeloff operation
if there is a thread sleeping on the asoc, so this situation doesn't
exist anymore. This avoids the issues described above and also honors
the syscalls that are already being handled (it can be multiple sendmsg
calls).

Joint work with Xin Long.

Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
Cc: Alexander Popov <alex.popov@linux.com>
Cc: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit dfcb9f4f99f1e9a49e43398a7bfbf56927544af1)
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>