superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/net/sctp
History
Kuniyuki Iwashima d7ff61e6f3 sctp: Clear inet_opt in sctp_v6_copy_ip_options(). 
syzbot reported the splat below. [0]

Since the cited commit, the child socket inherits all fields
of its parent socket unless explicitly cleared.

syzbot set IP_OPTIONS to AF_INET6 socket and created a child
socket inheriting inet_sk(sk)->inet_opt.

sctp_v6_copy_ip_options() only clones np->opt, and leaving
inet_opt results in double-free.

Let's clear inet_opt in sctp_v6_copy_ip_options().

[0]:
BUG: KASAN: double-free in inet_sock_destruct+0x538/0x740 net/ipv4/af_inet.c:159
Free of addr ffff8880304b6d40 by task ksoftirqd/0/15

CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report_invalid_free+0xea/0x110 mm/kasan/report.c:557
 check_slab_allocation+0xe1/0x130 include/linux/page-flags.h:-1
 kasan_slab_pre_free include/linux/kasan.h:198 [inline]
 slab_free_hook mm/slub.c:2484 [inline]
 slab_free mm/slub.c:6630 [inline]
 kfree+0x148/0x6d0 mm/slub.c:6837
 inet_sock_destruct+0x538/0x740 net/ipv4/af_inet.c:159
 __sk_destruct+0x89/0x660 net/core/sock.c:2350
 sock_put include/net/sock.h:1991 [inline]
 sctp_endpoint_destroy_rcu+0xa1/0xf0 net/sctp/endpointola.c:197
 rcu_do_batch kernel/rcu/tree.c:2605 [inline]
 rcu_core+0xcab/0x1770 kernel/rcu/tree.c:2861
 handle_softirqs+0x286/0x870 kernel/softirq.c:622
 run_ksoftirqd+0x9b/0x100 kernel/softirq.c:1063
 smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 6003:
 kasan_save_stack mm/kasan/common.c:56 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
 poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417
 kasan_kmalloc include/linux/kasan.h:262 [inline]
 __do_kmalloc_node mm/slub.c:5642 [inline]
 __kmalloc_noprof+0x411/0x7f0 mm/slub.c:5654
 kmalloc_noprof include/linux/slab.h:961 [inline]
 kzalloc_noprof include/linux/slab.h:1094 [inline]
 ip_options_get+0x51/0x4c0 net/ipv4/ip_options.c:517
 do_ip_setsockopt+0x1d9b/0x2d00 net/ipv4/ip_sockglue.c:1087
 ip_setsockopt+0x66/0x110 net/ipv4/ip_sockglue.c:1417
 do_sock_setsockopt+0x17c/0x1b0 net/socket.c:2360
 __sys_setsockopt net/socket.c:2385 [inline]
 __do_sys_setsockopt net/socket.c:2391 [inline]
 __se_sys_setsockopt net/socket.c:2388 [inline]
 __x64_sys_setsockopt+0x13f/0x1b0 net/socket.c:2388
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 15:
 kasan_save_stack mm/kasan/common.c:56 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
 __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
 kasan_save_free_info mm/kasan/kasan.h:406 [inline]
 poison_slab_object mm/kasan/common.c:252 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284
 kasan_slab_free include/linux/kasan.h:234 [inline]
 slab_free_hook mm/slub.c:2539 [inline]
 slab_free mm/slub.c:6630 [inline]
 kfree+0x19a/0x6d0 mm/slub.c:6837
 inet_sock_destruct+0x538/0x740 net/ipv4/af_inet.c:159
 __sk_destruct+0x89/0x660 net/core/sock.c:2350
 sock_put include/net/sock.h:1991 [inline]
 sctp_endpoint_destroy_rcu+0xa1/0xf0 net/sctp/endpointola.c:197
 rcu_do_batch kernel/rcu/tree.c:2605 [inline]
 rcu_core+0xcab/0x1770 kernel/rcu/tree.c:2861
 handle_softirqs+0x286/0x870 kernel/softirq.c:622
 run_ksoftirqd+0x9b/0x100 kernel/softirq.c:1063
 smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Fixes: 16942cf4d3 ("sctp: Use sk_clone() in sctp_accept().")
Reported-by: syzbot+ec33a1a006ed5abe7309@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6936d112.a70a0220.38f243.00a8.GAE@google.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20251210081206.1141086-3-kuniyu@google.com
Acked-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
 		2025-12-18 16:18:00 +01:00
..
Kconfig sctp: Convert cookie authentication to use HMAC-SHA256 2025-08-19 19:36:26 -07:00
Makefile sctp: add fair capacity stream scheduler 2023-03-09 11:31:44 +01:00
associola.c sctp: Remove unused sctp_assoc_del_peer and sctp_chunk_iif 2025-05-05 16:51:12 -07:00
auth.c sctp: Use HMAC-SHA1 and HMAC-SHA256 library for chunk authentication 2025-08-19 19:36:25 -07:00
bind_addr.c sctp: fail if no bound addresses can be used for a given scope 2023-01-24 18:32:33 -08:00
chunk.c sctp: Use HMAC-SHA1 and HMAC-SHA256 library for chunk authentication 2025-08-19 19:36:25 -07:00
debug.c
diag.c sctp: Hold sock lock while iterating over address list 2025-11-03 17:09:36 -08:00
endpointola.c sctp: Convert cookie authentication to use HMAC-SHA256 2025-08-19 19:36:26 -07:00
input.c net: sctp: fix KMSAN uninit-value in sctp_inq_pop 2025-10-30 11:21:05 +01:00
inqueue.c sctp: avoid NULL dereference when chunk data buffer is missing 2025-10-22 19:19:31 -07:00
ipv6.c sctp: Clear inet_opt in sctp_v6_copy_ip_options(). 2025-12-18 16:18:00 +01:00
objcnt.c
offload.c sctp: use skb_crc32c() instead of __skb_checksum() 2025-05-21 15:40:16 -07:00
output.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
outqueue.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
primitive.c
proc.c sctp: snmp: do not use SNMP_MIB_SENTINEL anymore 2025-09-08 18:06:21 -07:00
protocol.c sctp: Remove sctp_pf.create_accept_sk(). 2025-10-27 18:04:58 -07:00
sm_make_chunk.c sctp: Convert cookie authentication to use HMAC-SHA256 2025-08-19 19:36:26 -07:00
sm_sideeffect.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
sm_statefuns.c net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() 2025-10-06 11:07:20 -07:00
sm_statetable.c
socket.c sctp: Fetch inet6_sk() after setting ->pinet6 in sctp_clone_sock(). 2025-12-18 16:17:59 +01:00
stream.c sctp: Constify struct sctp_sched_ops 2025-10-28 17:50:55 -07:00
stream_interleave.c sctp: delete the nested flexible array skip 2023-04-21 08:19:29 +01:00
stream_sched.c sctp: Constify struct sctp_sched_ops 2025-10-28 17:50:55 -07:00
stream_sched_fc.c sctp: Constify struct sctp_sched_ops 2025-10-28 17:50:55 -07:00
stream_sched_prio.c sctp: Constify struct sctp_sched_ops 2025-10-28 17:50:55 -07:00
stream_sched_rr.c sctp: Constify struct sctp_sched_ops 2025-10-28 17:50:55 -07:00
sysctl.c sctp: Stop accepting md5 and sha1 for net.sctp.cookie_hmac_alg 2025-08-19 19:36:26 -07:00
transport.c sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto 2025-11-10 16:21:05 -08:00
tsnmap.c
ulpevent.c
ulpqueue.c