Commit 1031462a authored Jan 08, 2025 by Matthieu Baerts (NGI0) Committed by Greg Kroah-Hartman Feb 01, 2025

sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy

commit ea62dd1383913b5999f3d16ae99d411f41b528d4 upstream.

As mentioned in a previous commit of this series, using the 'net'
structure via 'current' is not recommended for different reasons:

- Inconsistency: getting info from the reader's/writer's netns vs only
  from the opener's netns.

- current->nsproxy can be NULL in some cases, resulting in an 'Oops'
  (null-ptr-deref), e.g. when the current task is exiting, as spotted by
  syzbot [1] using acct(2).

The 'net' structure can be obtained from the table->data using
container_of().

Note that table->data could also be used directly, as this is the only
member needed from the 'net' structure, but that would increase the size
of this fix, to use '*data' everywhere 'net->sctp.sctp_hmac_alg' is
used.

Fixes: 3c68198e ("sctp: Make hmac algorithm selection for cookie generation dynamic")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com

 [1]
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-4-5df34b2083e8@kernel.org


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent ec037fe8

net/sctp/sysctl.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -441,7 +441,8 @@ static int proc_sctp_do_auth(struct ctl_table *ctl, int write,
		void __user buffer, size_t lenp,
		loff_t *ppos)
		{
		struct net *net = current->nsproxy->net_ns;
		struct net *net = container_of(ctl->data, struct net,
		sctp.sctp_hmac_alg);
		struct ctl_table tbl;
		int new_value, ret;