• Xin Long's avatar
    sctp: fix an use-after-free issue in sctp_sock_dump · d25adbeb
    Xin Long authored
    Commit 86fdb344 ("sctp: ensure ep is not destroyed before doing the
    dump") tried to fix an use-after-free issue by checking !sctp_sk(sk)->ep
    with holding sock and sock lock.
    
    But Paolo noticed that endpoint could be destroyed in sctp_rcv without
    sock lock protection. It means the use-after-free issue still could be
    triggered when sctp_rcv put and destroy ep after sctp_sock_dump checks
    !ep, although it's pretty hard to reproduce.
    
    I could reproduce it by mdelay in sctp_rcv while msleep in sctp_close
    and sctp_sock_dump long time.
    
    This patch is to add another param cb_done to sctp_for_each_transport
    and dump ep->assocs with holding tsp after jumping out of transport's
    traversal in it to avoid this issue.
    
    It can also improve sctp diag dump to make it run faster, as no need
    to save sk into cb->args[5] and keep calling sctp_for_each_transport
    any more.
    
    This patch is also to use int * instead of int for the pos argument
    in sctp_for_each_transport, which could make postion increment only
    in sctp_for_each_transport and no need to keep changing cb->args[2]
    in sctp_sock_filter and sctp_sock_dump any more.
    
    Fixes: 86fdb344 ("sctp: ensure ep is not destroyed before doing the dump")
    Reported-by: default avatarPaolo Abeni <pabeni@redhat.com>
    Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
    Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    d25adbeb
Name
Last commit
Last update
Documentation Loading commit data...
arch Loading commit data...
block Loading commit data...
certs Loading commit data...
crypto Loading commit data...
drivers Loading commit data...
firmware Loading commit data...
fs Loading commit data...
include Loading commit data...
init Loading commit data...
ipc Loading commit data...
kernel Loading commit data...
lib Loading commit data...
mm Loading commit data...
net Loading commit data...
samples Loading commit data...
scripts Loading commit data...
security Loading commit data...
sound Loading commit data...
tools Loading commit data...
usr Loading commit data...
virt Loading commit data...
.cocciconfig Loading commit data...
.get_maintainer.ignore Loading commit data...
.gitattributes Loading commit data...
.gitignore Loading commit data...
.mailmap Loading commit data...
COPYING Loading commit data...
CREDITS Loading commit data...
Kbuild Loading commit data...
Kconfig Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
README Loading commit data...