• Xin Long's avatar
    sctp: fully initialize v4 addr in some functions · b6f3320b
    Xin Long authored
    Syzbot found a crash:
    
      BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:112 [inline]
      BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline]
      BUG: KMSAN: uninit-value in __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202
      Call Trace:
        crc32_body lib/crc32.c:112 [inline]
        crc32_le_generic lib/crc32.c:179 [inline]
        __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202
        chksum_update+0xb2/0x110 crypto/crc32c_generic.c:90
        crypto_shash_update+0x4c5/0x530 crypto/shash.c:107
        crc32c+0x150/0x220 lib/libcrc32c.c:47
        sctp_csum_update+0x89/0xa0 include/net/sctp/checksum.h:36
        __skb_checksum+0x1297/0x12a0 net/core/skbuff.c:2640
        sctp_compute_cksum include/net/sctp/checksum.h:59 [inline]
        sctp_packet_pack net/sctp/output.c:528 [inline]
        sctp_packet_transmit+0x40fb/0x4250 net/sctp/output.c:597
        sctp_outq_flush_transports net/sctp/outqueue.c:1146 [inline]
        sctp_outq_flush+0x1823/0x5d80 net/sctp/outqueue.c:1194
        sctp_outq_uncork+0xd0/0xf0 net/sctp/outqueue.c:757
        sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1781 [inline]
        sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline]
        sctp_do_sm+0x8fe1/0x9720 net/sctp/sm_sideeffect.c:1155
        sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185
        sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433
        sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline]
        sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672
    
    The issue was caused by transport->ipaddr set with uninit addr param, which
    was passed by:
    
      sctp_transport_init net/sctp/transport.c:47 [inline]
      sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100
      sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611
      sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline]
    
    where 'addr' is set by sctp_v4_from_addr_param(), and it doesn't initialize
    the padding of addr->v4.
    
    Later when calling sctp_make_heartbeat(), hbinfo.daddr(=transport->ipaddr)
    will become the part of skb, and the issue occurs.
    
    This patch is to fix it by initializing the padding of addr->v4 in
    sctp_v4_from_addr_param(), as well as other functions that do the similar
    thing, and these functions shouldn't trust that the caller initializes the
    memory, as Marcelo suggested.
    
    Reported-by: syzbot+6dcbfea81cd3d4dd0b02@syzkaller.appspotmail.com
    Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
    Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    b6f3320b
protocol.c 43 KB