Bugzilla – Bug 936502
VUL-0: CVE-2015-3212: kernel-source: SCTP race condition allows list corruption and panic from userlevel
Last modified: 2024-07-04 09:15:21 UTC
via rh bug#1226442 A flaw was found in the Linux kernels handling of the SCTPs automatic handling of dynamic multi-homed connections. A race condition in the way the Linux kernel handles lists of associations in SCTP sockets using Address Configuration Change messages, leading to list corruption and panics. References: http://marc.info/?l=linux-netdev&m=143277436124732&w=2 https://bugzilla.redhat.com/show_bug.cgi?id=1226442
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> ->auto_asconf_splist is per namespace and mangled by functions like sctp_setsockopt_auto_asconf() which doesn't guarantee any serialization. Also, the call to inet_sk_copy_descendant() was backuping ->auto_asconf_list through the copy but was not honoring ->do_auto_asconf, which could lead to list corruption if it was different between both sockets. This commit thus fixes the list handling by adding a spinlock to protect against multiple writers and converts the list to be protected by RCU too, so that we don't have a lock inverstion issue at sctp_addr_wq_timeout_handler(). And as this list now uses RCU, we cannot do such backup and restore while copying descendant data anymore as readers may be traversing the list meanwhile. We fix this by simply ignoring/not copying those fields, placed at the end of struct sctp_sock, so we can just ignore it together with struct ipv6_pinfo data. For that we create sctp_copy_descendant() so we don't clutter inet_sk_copy_descendant() with SCTP info. Issue was found with a test application that kept flipping sysctl default_auto_asconf on and off. Fixes: 9f7d653b67ae ("sctp: Add Auto-ASCONF support (core).") Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
commit 9f7d653b67aed2d92540fbb0a8adaf32fcf352ae Author: Michio Honda <micchie@sfc.wide.ad.jp> Date: Tue Apr 26 19:32:51 2011 +0900 was added for 3.0 apparently
bugbot adjusting priority
Michal, could you have a look please? I will be submitting SLE11-SP3-TD kernel next week and would appreciate to have the backport there
(In reply to Marcus Meissner from comment #2) > commit 9f7d653b67aed2d92540fbb0a8adaf32fcf352ae > Author: Michio Honda <micchie@sfc.wide.ad.jp> > Date: Tue Apr 26 19:32:51 2011 +0900 > > was added for 3.0 apparently I can't see any trace of it in either stable-3.0.y or in SLE11-SP4. As far as I can say, only 13.1, 13.2 and SLE12(-SP1) should be affected (and Factory, of course, until 4.1.2 stable update gets in).
(In reply to Michal Kubeček from comment #5) > (In reply to Marcus Meissner from comment #2) > > commit 9f7d653b67aed2d92540fbb0a8adaf32fcf352ae > > Author: Michio Honda <micchie@sfc.wide.ad.jp> > > Date: Tue Apr 26 19:32:51 2011 +0900 > > > > was added for 3.0 apparently > > I can't see any trace of it in either stable-3.0.y or in SLE11-SP4. As far > as I can say, only 13.1, 13.2 and SLE12(-SP1) should be affected (and > Factory, > of course, until 4.1.2 stable update gets in). git describe --contains claim this is reachable from v3.0-git1. The tag is a bit weird and the commit is not directly reachable from 3.0 git rev-list v3.0 ^9f7d653b67aed2d92540fbb0a8adaf32fcf352ae | wc -l 2066 git rev-list ^v3.0 9f7d653b67aed2d92540fbb0a8adaf32fcf352ae | wc -l 35 so it seems like this didn't get to 3.0 after all. A quick check of include/net/sctp/sctp.h shows that sctp_addr_wq_mgmt or other functions added here are not present. Thanks for double checking Michal!
The fix is now in SLE12, SLE12-SP1, openSUSE-13.1 and openSUSE-13.2. Closing.
SUSE-SU-2015:1324-1: An update that solves 11 vulnerabilities and has 63 fixes is now available. Category: security (important) Bug References: 854817,854824,858727,866911,867362,895814,903279,907092,908491,915183,917630,918618,921430,924071,924526,926369,926953,927455,927697,927786,928131,929475,929696,929879,929974,930092,930399,930579,930599,930972,931124,931403,931538,931620,931860,931988,932348,932793,932897,932898,932899,932900,932967,933117,933429,933637,933896,933904,933907,934160,935083,935085,935088,935174,935542,935881,935918,936012,936423,936445,936446,936502,936556,936831,936875,937032,937087,937609,937612,937613,937616,938022,938023,938024 CVE References: CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-1805,CVE-2015-3212,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-5364,CVE-2015-5366 Sources used: SUSE Linux Enterprise Workstation Extension 12 (src): kernel-default-3.12.44-52.10.1 SUSE Linux Enterprise Software Development Kit 12 (src): kernel-docs-3.12.44-52.10.3, kernel-obs-build-3.12.44-52.10.1 SUSE Linux Enterprise Server 12 (src): kernel-default-3.12.44-52.10.1, kernel-source-3.12.44-52.10.1, kernel-syms-3.12.44-52.10.1, kernel-xen-3.12.44-52.10.1 SUSE Linux Enterprise Module for Public Cloud 12 (src): kernel-ec2-3.12.44-52.10.1 SUSE Linux Enterprise Live Patching 12 (src): kgraft-patch-SLE12_Update_6-1-2.1 SUSE Linux Enterprise Desktop 12 (src): kernel-default-3.12.44-52.10.1, kernel-source-3.12.44-52.10.1, kernel-syms-3.12.44-52.10.1, kernel-xen-3.12.44-52.10.1
openSUSE-SU-2016:0301-1: An update that solves 57 vulnerabilities and has 21 fixes is now available. Category: security (important) Bug References: 814440,851610,869564,873385,906545,907818,909077,909477,911326,912202,915517,915577,917830,918333,919007,919018,919463,919596,921313,921949,922583,922936,922944,926238,926240,927780,927786,928130,929525,930399,931988,932348,933896,933904,933907,933934,935542,935705,936502,936831,937032,937033,937969,938706,940338,944296,945825,947155,949936,950998,951194,951440,951627,952384,952579,952976,953052,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075 CVE References: CVE-2014-2568,CVE-2014-8133,CVE-2014-8989,CVE-2014-9090,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2014-9715,CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0272,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-2925,CVE-2015-3212,CVE-2015-3339,CVE-2015-3636,CVE-2015-4001,CVE-2015-4002,CVE-2015-4003,CVE-2015-4004,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-4700,CVE-2015-5157,CVE-2015-5283,CVE-2015-5307,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7833,CVE-2015-7872,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728 Sources used: openSUSE 13.1 (src): cloop-2.639-11.22.2, crash-7.0.2-2.22.2, hdjmod-1.28-16.22.2, ipset-6.21.1-2.26.2, iscsitarget-1.4.20.3-13.22.2, kernel-debug-3.11.10-32.1, kernel-default-3.11.10-32.1, kernel-desktop-3.11.10-32.1, kernel-docs-3.11.10-32.3, kernel-ec2-3.11.10-32.1, kernel-pae-3.11.10-32.1, kernel-source-3.11.10-32.1, kernel-syms-3.11.10-32.1, kernel-trace-3.11.10-32.1, kernel-vanilla-3.11.10-32.1, kernel-xen-3.11.10-32.1, ndiswrapper-1.58-22.1, pcfclock-0.44-258.22.1, vhba-kmp-20130607-2.23.1, virtualbox-4.2.36-2.55.1, xen-4.3.4_10-56.1, xtables-addons-2.3-2.22.1