Re: [PATCH net] sctp: Avoid out-of-bounds reads from address storage

From: David Miller
Date: Thu Aug 24 2017 - 01:35:15 EST


From: Stefano Brivio <sbrivio@xxxxxxxxxx>
Date: Wed, 23 Aug 2017 13:27:13 +0200

> inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() copy
> sizeof(sockaddr_storage) bytes to fill in sockaddr structs used
> to export diagnostic information to userspace.
>
> However, the memory allocated to store sockaddr information is
> smaller than that and depends on the address family, so we leak
> up to 100 uninitialized bytes to userspace. Just use the size of
> the source structs instead, in all the three cases this is what
> userspace expects. Zero out the remaining memory.
>
> Unused bytes (i.e. when IPv4 addresses are used) in source
> structs sctp_sockaddr_entry and sctp_transport are already
> cleared by sctp_add_bind_addr() and sctp_transport_new(),
> respectively.
>
> Noticed while testing KASAN-enabled kernel with 'ss':
...
> This fixes CVE-2017-7558.
>
> References: https://bugzilla.redhat.com/show_bug.cgi?id=1480266
> Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
> Cc: <stable@xxxxxxxxxxxxxxx> # 4.7+
> Cc: Xin Long <lucien.xin@xxxxxxxxx>
> Cc: Vlad Yasevich <vyasevich@xxxxxxxxx>
> Cc: Neil Horman <nhorman@xxxxxxxxxxxxx>
> Signed-off-by: Stefano Brivio <sbrivio@xxxxxxxxxx>

Applied and queued up for -stable.

Do not put "stable@xxxxxxxxx" into networking patch submissions.
For networking, I handle the stable submissions by hand myself.

Thank you.