diff options
| author | Xin Long <lucien.xin@gmail.com> | 2022-09-28 14:10:13 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2022-09-30 12:36:40 +0100 |
| commit | 022152aaebe116a25c39818a07e175a8cd3c1e11 (patch) | |
| tree | ee4098d79a8d7f34f984dd2eb13453593b51b832 /mm/page_io.c | |
| parent | 2568a7e0832ee30b0a351016d03062ab4e0e0a3f (diff) | |
| download | linux-022152aaebe116a25c39818a07e175a8cd3c1e11.tar.bz2 | |
sctp: handle the error returned from sctp_auth_asoc_init_active_key
When it returns an error from sctp_auth_asoc_init_active_key(), the
active_key is actually not updated. The old sh_key will be freeed
while it's still used as active key in asoc. Then an use-after-free
will be triggered when sending patckets, as found by syzbot:
sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
sctp_set_owner_w net/sctp/socket.c:132 [inline]
sctp_sendmsg_to_asoc+0xbd5/0x1a20 net/sctp/socket.c:1863
sctp_sendmsg+0x1053/0x1d50 net/sctp/socket.c:2025
inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:734
This patch is to fix it by not replacing the sh_key when it returns
errors from sctp_auth_asoc_init_active_key() in sctp_auth_set_key().
For sctp_auth_set_active_key(), old active_key_id will be set back
to asoc->active_key_id when the same thing happens.
Fixes: 58acd1009226 ("sctp: update active_key for asoc when old key is being replaced")
Reported-by: syzbot+a236dd8e9622ed8954a3@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'mm/page_io.c')
0 files changed, 0 insertions, 0 deletions