github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-31 10:33:41 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph

Merge branch 'fix-sctp-diag-locking-issues'

Browse Source 
Stefan Wiehler says:

====================
Fix SCTP diag locking issues

- Hold RCU read lock while iterating over address list in
  inet_diag_msg_sctpaddrs_fill()
- Prevent TOCTOU out-of-bounds write
- Hold sock lock while iterating over address list in sctp_sock_dump_one()
====================

Link: https://patch.msgid.link/20251028161506.3294376-1-stefan.wiehler@nokia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
Jakub Kicinski 2025-11-03 17:09:38 -08:00
commit 7172c8cd65
1 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
net/sctp/diag.c
View File

@ -73,19 +73,26 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb,
struct nlattr *attr;
void *info = NULL;
rcu_read_lock();
list_for_each_entry_rcu(laddr, address_list, list)
addrcnt++;
rcu_read_unlock();
attr = nla_reserve(skb, INET_DIAG_LOCALS, addrlen * addrcnt);
if (!attr)
return -EMSGSIZE;
info = nla_data(attr);
rcu_read_lock();
list_for_each_entry_rcu(laddr, address_list, list) {
memcpy(info, &laddr->a, sizeof(laddr->a));
memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a));
info += addrlen;
if (!--addrcnt)
break;
}
rcu_read_unlock();
return 0;
}
@ -223,14 +230,15 @@ struct sctp_comm_param {
bool net_admin;
};
static size_t inet_assoc_attr_size(struct sctp_association *asoc)
static size_t inet_assoc_attr_size(struct sock *sk,
struct sctp_association *asoc)
{
int addrlen = sizeof(struct sockaddr_storage);
int addrcnt = 0;
struct sctp_sockaddr_entry *laddr;
list_for_each_entry_rcu(laddr, &asoc->base.bind_addr.address_list,
list)
list, lockdep_sock_is_held(sk))
addrcnt++;
return nla_total_size(sizeof(struct sctp_info))
@ -256,11 +264,14 @@ static int sctp_sock_dump_one(struct sctp_endpoint *ep, struct sctp_transport *t
if (err)
return err;
rep = nlmsg_new(inet_assoc_attr_size(assoc), GFP_KERNEL);
if (!rep)
return -ENOMEM;
lock_sock(sk);
rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL);
if (!rep) {
release_sock(sk);
return -ENOMEM;
}
if (ep != assoc->ep) {
err = -EAGAIN;
goto out;