[PATCH 3.14 008/122] net: sctp: fix memory leak in auth key management

From: Greg Kroah-Hartman
Date: Wed Nov 19 2014 - 17:01:12 EST

Next message: Greg Kroah-Hartman: "[PATCH 3.14 007/122] net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet"
Previous message: Greg Kroah-Hartman: "[PATCH 3.14 013/122] vio: fix reuse of vio_dring slot"
In reply to: Greg Kroah-Hartman: "[PATCH 3.14 013/122] vio: fix reuse of vio_dring slot"
Next in thread: Greg Kroah-Hartman: "[PATCH 3.14 007/122] net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

3.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Daniel Borkmann <dborkman@xxxxxxxxxx>

[ Upstream commit 4184b2a79a7612a9272ce20d639934584a1f3786 ]

A very minimal and simple user space application allocating an SCTP
socket, setting SCTP_AUTH_KEY setsockopt(2) on it and then closing
the socket again will leak the memory containing the authentication
key from user space:

unreferenced object 0xffff8800837047c0 (size 16):
comm "a.out", pid 2789, jiffies 4296954322 (age 192.258s)
hex dump (first 16 bytes):
01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff816d7e8e>] kmemleak_alloc+0x4e/0xb0
[<ffffffff811c88d8>] __kmalloc+0xe8/0x270
[<ffffffffa0870c23>] sctp_auth_create_key+0x23/0x50 [sctp]
[<ffffffffa08718b1>] sctp_auth_set_key+0xa1/0x140 [sctp]
[<ffffffffa086b383>] sctp_setsockopt+0xd03/0x1180 [sctp]
[<ffffffff815bfd94>] sock_common_setsockopt+0x14/0x20
[<ffffffff815beb61>] SyS_setsockopt+0x71/0xd0
[<ffffffff816e58a9>] system_call_fastpath+0x12/0x17
[<ffffffffffffffff>] 0xffffffffffffffff

This is bad because of two things, we can bring down a machine from
user space when auth_enable=1, but also we would leave security sensitive
keying material in memory without clearing it after use. The issue is
that sctp_auth_create_key() already sets the refcount to 1, but after
allocation sctp_auth_set_key() does an additional refcount on it, and
thus leaving it around when we free the socket.

Fixes: 65b07e5d0d0 ("[SCTP]: API updates to suport SCTP-AUTH extensions.")
Signed-off-by: Daniel Borkmann <dborkman@xxxxxxxxxx>
Cc: Vlad Yasevich <vyasevich@xxxxxxxxx>
Acked-by: Neil Horman <nhorman@xxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/sctp/auth.c | 2 --
1 file changed, 2 deletions(-)

--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -862,8 +862,6 @@ int sctp_auth_set_key(struct sctp_endpoi
list_add(&cur_key->key_list, sh_keys);

cur_key->key = key;
- sctp_auth_key_hold(key);
-
return 0;
nomem:
if (!replace)

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg Kroah-Hartman: "[PATCH 3.14 007/122] net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet"
Previous message: Greg Kroah-Hartman: "[PATCH 3.14 013/122] vio: fix reuse of vio_dring slot"
In reply to: Greg Kroah-Hartman: "[PATCH 3.14 013/122] vio: fix reuse of vio_dring slot"
Next in thread: Greg Kroah-Hartman: "[PATCH 3.14 007/122] net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]