From 58fbff3df5d6f8caa5353c464db7eb58d3bb3450 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Wed, 15 Feb 2017 11:54:35 +0100 Subject: [PATCH] sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986) --- debian/changelog | 1 + ...avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch | 39 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 41 insertions(+) create mode 100644 debian/patches/bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch diff --git a/debian/changelog b/debian/changelog index 7221d92c4..f2089d61a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -198,6 +198,7 @@ linux (4.9.9-1) UNRELEASED; urgency=medium * IB/rxe: Fix mem_check_range integer overflow (CVE-2016-8636) * selinux: fix off-by-one in setprocattr (CVE-2017-2618) * ipv4: keep skb->dst around in presence of IP options (CVE-2017-5970) + * sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986) -- Ben Hutchings Fri, 27 Jan 2017 18:14:31 +0000 diff --git a/debian/patches/bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch b/debian/patches/bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch new file mode 100644 index 000000000..0fcbbcfd1 --- /dev/null +++ b/debian/patches/bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch @@ -0,0 +1,39 @@ +From: Marcelo Ricardo Leitner +Date: Mon, 6 Feb 2017 18:10:31 -0200 +Subject: sctp: avoid BUG_ON on sctp_wait_for_sndbuf +Origin: https://git.kernel.org/linus/2dcab598484185dea7ec22219c76dcdd59e3cb90 + +Alexander Popov reported that an application may trigger a BUG_ON in +sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is +waiting on it to queue more data and meanwhile another thread peels off +the association being used by the first thread. + +This patch replaces the BUG_ON call with a proper error handling. It +will return -EPIPE to the original sendmsg call, similarly to what would +have been done if the association wasn't found in the first place. + +Acked-by: Alexander Popov +Signed-off-by: Marcelo Ricardo Leitner +Reviewed-by: Xin Long +Signed-off-by: David S. Miller +--- + net/sctp/socket.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 37eeab7..e214d2e 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7426,7 +7426,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, + */ + release_sock(sk); + current_timeo = schedule_timeout(current_timeo); +- BUG_ON(sk != asoc->base.sk); ++ if (sk != asoc->base.sk) ++ goto do_error; + lock_sock(sk); + + *timeo_p = current_timeo; +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index cbd1721ac..9ae396fdb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -107,6 +107,7 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/IB-rxe-Fix-mem_check_range-integer-overflow.patch bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch +bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch # Fix exported symbol versions bugfix/ia64/revert-ia64-move-exports-to-definitions.patch