pve-kernel-lowlatency-qoup/patches/kernel/0022-sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Xin Long <lucien.xin@gmail.com>
Date: Thu, 7 Dec 2017 16:07:00 +0100
Subject: [PATCH] sctp: do not peel off an assoc from one netns to another one
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Now when peeling off an association to the sock in another netns, all
transports in this assoc are not to be rehashed and keep use the old
key in hashtable.

As a transport uses sk->net as the hash key to insert into hashtable,
it would miss removing these transports from hashtable due to the new
netns when closing the sock and all transports are being freeed, then
later an use-after-free issue could be caused when looking up an asoc
and dereferencing those transports.

This is a very old issue since very beginning, ChunYu found it with
syzkaller fuzz testing with this series:

  socket$inet6_sctp()
  bind$inet6()
  sendto$inet6()
  unshare(0x40000000)
  getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST()
  getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF()

This patch is to block this call when peeling one assoc off from one
netns to another one, so that the netns of all transport would not
go out-sync with the key in hashtable.

Note that this patch didn't fix it by rehashing transports, as it's
difficult to handle the situation when the tuple is already in use
in the new netns. Besides, no one would like to peel off one assoc
to another netns, considering ipaddrs, ifaces, etc. are usually
different.

Reported-by: ChunYu Wang <chunwang@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

CVE-2017-15115
(cherry picked from commit df80cd9b28b9ebaa284a41df611dbf3a2d05ca74)
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 net/sctp/socket.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 8d760863bc41..52f388e0448e 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4894,6 +4894,10 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
 	struct socket *sock;
 	int err = 0;
 
+	/* Do not peel off from one netns to another one. */
+	if (!net_eq(current->nsproxy->net_ns, sock_net(sk)))
+		return -EINVAL;
+
 	if (!asoc)
 		return -EINVAL;
 
-- 
2.14.2
restructure patches rebase on Ubuntu-4.13.0-32.35 the effective kernel tree which gets compiled after patches have been applied is functionally identical (modulo parts for architectures which we don't care about and Ubuntu build files) 2018-01-29 16:22:56 +03:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
			`From: Xin Long <lucien.xin@gmail.com>`
			`Date: Thu, 7 Dec 2017 16:07:00 +0100`
			`Subject: [PATCH] sctp: do not peel off an assoc from one netns to another one`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`Now when peeling off an association to the sock in another netns, all`
			`transports in this assoc are not to be rehashed and keep use the old`
			`key in hashtable.`

			`As a transport uses sk->net as the hash key to insert into hashtable,`
			`it would miss removing these transports from hashtable due to the new`
			`netns when closing the sock and all transports are being freeed, then`
			`later an use-after-free issue could be caused when looking up an asoc`
			`and dereferencing those transports.`

			`This is a very old issue since very beginning, ChunYu found it with`
			`syzkaller fuzz testing with this series:`

			`socket$inet6_sctp()`
			`bind$inet6()`
			`sendto$inet6()`
			`unshare(0x40000000)`
			`getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST()`
			`getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF()`

			`This patch is to block this call when peeling one assoc off from one`
			`netns to another one, so that the netns of all transport would not`
			`go out-sync with the key in hashtable.`

			`Note that this patch didn't fix it by rehashing transports, as it's`
			`difficult to handle the situation when the tuple is already in use`
			`in the new netns. Besides, no one would like to peel off one assoc`
			`to another netns, considering ipaddrs, ifaces, etc. are usually`
			`different.`

			`Reported-by: ChunYu Wang <chunwang@redhat.com>`
			`Signed-off-by: Xin Long <lucien.xin@gmail.com>`
			`Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>`
			`Acked-by: Neil Horman <nhorman@tuxdriver.com>`
			`Signed-off-by: David S. Miller <davem@davemloft.net>`

			`CVE-2017-15115`
			`(cherry picked from commit df80cd9b28b9ebaa284a41df611dbf3a2d05ca74)`
			`Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>`
			`Acked-by: Colin Ian King <colin.king@canonical.com>`
			`Acked-by: Stefan Bader <stefan.bader@canonical.com>`
			`Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>`
			`Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>`
			`---`
			`net/sctp/socket.c \| 4 ++++`
			`1 file changed, 4 insertions(+)`

			`diff --git a/net/sctp/socket.c b/net/sctp/socket.c`
			`index 8d760863bc41..52f388e0448e 100644`
			`--- a/net/sctp/socket.c`
			`+++ b/net/sctp/socket.c`
			`@@ -4894,6 +4894,10 @@ int sctp_do_peeloff(struct sock sk, sctp_assoc_t id, struct socket *sockp)`
			`struct socket *sock;`
			`int err = 0;`

			`+ /* Do not peel off from one netns to another one. */`
			`+ if (!net_eq(current->nsproxy->net_ns, sock_net(sk)))`
			`+ return -EINVAL;`
			`+`
			`if (!asoc)`
			`return -EINVAL;`

			`--`
			`2.14.2`