linux

iv/linux

History

Paolo Abeni 0a3f4f1f9c mptcp: fix UaF in listener shutdown As reported by Christoph after having refactored the passive socket initialization, the mptcp listener shutdown path is prone to an UaF issue. BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x73/0xe0 Write of size 4 at addr ffff88810cb23098 by task syz-executor731/1266 CPU: 1 PID: 1266 Comm: syz-executor731 Not tainted 6.2.0-rc59af4eaa31c1f6c00c8f1e448ed99a45c66340dd5 #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x6e/0x91 print_report+0x16a/0x46f kasan_report+0xad/0x130 kasan_check_range+0x14a/0x1a0 _raw_spin_lock_bh+0x73/0xe0 subflow_error_report+0x6d/0x110 sk_error_report+0x3b/0x190 tcp_disconnect+0x138c/0x1aa0 inet_child_forget+0x6f/0x2e0 inet_csk_listen_stop+0x209/0x1060 __mptcp_close_ssk+0x52d/0x610 mptcp_destroy_common+0x165/0x640 mptcp_destroy+0x13/0x80 __mptcp_destroy_sock+0xe7/0x270 __mptcp_close+0x70e/0x9b0 mptcp_close+0x2b/0x150 inet_release+0xe9/0x1f0 __sock_release+0xd2/0x280 sock_close+0x15/0x20 __fput+0x252/0xa20 task_work_run+0x169/0x250 exit_to_user_mode_prepare+0x113/0x120 syscall_exit_to_user_mode+0x1d/0x40 do_syscall_64+0x48/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc The msk grace period can legitly expire in between the last reference count dropped in mptcp_subflow_queue_clean() and the later eventual access in inet_csk_listen_stop() After the previous patch we don't need anymore special-casing msk listener socket cleanup: the mptcp worker will process each of the unaccepted msk sockets. Just drop the now unnecessary code. Please note this commit depends on the two parent ones: mptcp: refactor passive socket initialization mptcp: use the workqueue to destroy unaccepted sockets Fixes: `6aeed90450` ("mptcp: fix race on unaccepted mptcp sockets") Cc: stable@vger.kernel.org Reported-and-tested-by: Christoph Paasch <cpaasch@apple.com> Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/346 Signed-off-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net> Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net> Signed-off-by: Jakub Kicinski <kuba@kernel.org>		2023-03-10 21:42:56 -08:00
..
bpf.c	bpf: Add bpf_skc_to_mptcp_sock_proto	2022-05-20 15:29:00 -07:00
crypto_test.c	mptcp: move crypto test to KUNIT	2020-06-26 16:21:39 -07:00
crypto.c	kunit: mptcp: adhere to KUNIT formatting standard	2021-04-16 17:10:40 -07:00
ctrl.c	mptcp: Add a per-namespace sysctl to set the default path manager type	2022-04-29 17:25:14 -07:00
diag.c
fastopen.c	mptcp: add subflow_v(4,6)_send_synack()	2022-11-29 20:24:25 -08:00
Kconfig	kunit: mptcp: adhere to KUNIT formatting standard	2021-04-16 17:10:40 -07:00
Makefile	mptcp: implement delayed seq generation for passive fastopen	2022-11-29 20:24:25 -08:00
mib.c	mptcp: add more offered MIBs counter	2022-05-05 19:00:16 -07:00
mib.h	mptcp: add more offered MIBs counter	2022-05-05 19:00:16 -07:00
mptcp_diag.c	tcp: Access &tcp_hashinfo via net.	2022-09-20 10:21:49 -07:00
options.c	mptcp: use local variable ssk in write_options	2023-01-09 07:30:49 +00:00
pm_netlink.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2023-02-09 12:25:40 -08:00
pm_userspace.c	mptcp: userspace pm: use a single point of exit	2023-01-26 13:33:30 +01:00
pm.c	mptcp: netlink: respect v4/v6-only sockets	2023-01-13 21:55:45 -08:00
protocol.c	mptcp: fix UaF in listener shutdown	2023-03-10 21:42:56 -08:00
protocol.h	mptcp: fix UaF in listener shutdown	2023-03-10 21:42:56 -08:00
sockopt.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2023-02-09 12:25:40 -08:00
subflow.c	mptcp: fix UaF in listener shutdown	2023-03-10 21:42:56 -08:00
syncookies.c	mptcp: don't return sockets in foreign netns	2021-09-24 10:51:36 +01:00
token_test.c	mptcp: init sk->sk_prot in build_msk()	2023-01-09 07:30:50 +00:00
token.c	mptcp: add statistics for mptcp socket in use	2023-01-09 07:30:50 +00:00