| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 30 Sep 2021 16:14:36 -0700 (PDT)
From: Mat Martineau <mathew.j.martineau@...ux.intel.com>
To: Tim Gardner <tim.gardner@...onical.com>
cc: mptcp@...ts.linux.dev,
Matthieu Baerts <matthieu.baerts@...sares.net>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, Paolo Abeni <pabeni@...hat.com>
Subject: Re: [PATCH][next] mptcp: Avoid NULL dereference in
mptcp_getsockopt_subflow_addrs()
On Mon, 20 Sep 2021, Mat Martineau wrote:
> On Mon, 20 Sep 2021, Tim Gardner wrote:
>
>> Coverity complains of a possible NULL dereference in
>> mptcp_getsockopt_subflow_addrs():
>>
>> 861 } else if (sk->sk_family == AF_INET6) {
>> 3. returned_null: inet6_sk returns NULL. [show details]
>> 4. var_assigned: Assigning: np = NULL return value from inet6_sk.
>> 862 const struct ipv6_pinfo *np = inet6_sk(sk);
>>
>> Fix this by checking for NULL.
>>
>> Cc: Mat Martineau <mathew.j.martineau@...ux.intel.com>
>> Cc: Matthieu Baerts <matthieu.baerts@...sares.net>
>> Cc: "David S. Miller" <davem@...emloft.net>
>> Cc: Jakub Kicinski <kuba@...nel.org>
>> Cc: netdev@...r.kernel.org
>> Cc: mptcp@...ts.linux.dev
>> Cc: linux-kernel@...r.kernel.org
>> Signed-off-by: Tim Gardner <tim.gardner@...onical.com>
>>
>> [ I'm not at all sure this is the right thing to do since the final result is to
>> return garbage to user space in mptcp_getsockopt_subflow_addrs(). Is this one
>> of those cases where inet6_sk() can't fail ?]
>
> Hi Tim -
>
> Thanks for noticing this and proposing a fix.
>
> As you commented, this isn't the right change to merge since
> mptcp_getsockopt_subflow_addrs() would copy garbage.
>
> This block of code already checks that CONFIG_IPV6 is enabled, so the
> question is whether sk_fullsock() would return false because the subflow is
> in TCP_TIME_WAIT or TCP_NEW_SYN_RECV. The caller is iterating over sockets in
> the MPTCP socket's conn_list, which does not contain request_socks (so there
> are no sockets in the TCP_NEW_SYN_RECV state).
>
> TCP subflow sockets are normally removed from the conn_list before they are
> closed by their parent MPTCP socket, but I need to double-check for corner
> cases. I created a github issue to track this:
> https://github.com/multipath-tcp/mptcp_net-next/issues/231
>
Tim,
Could you submit a v2 of this patch? Paolo took a look and the condition
should not happen, but adding the NULL check would be a good idea and
returning early as your patch does is ok. The data copied after the early
return will be zeroed and look like the address family is AF_UNSPEC.
Could you add a
Fixes: https://github.com/multipath-tcp/mptcp_net-next/issues/231
tag and make the one change below?
>
>> ---
>> net/mptcp/sockopt.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/net/mptcp/sockopt.c b/net/mptcp/sockopt.c
>> index 8137cc3a4296..c89f2bedce79 100644
>> --- a/net/mptcp/sockopt.c
>> +++ b/net/mptcp/sockopt.c
>> @@ -861,6 +861,9 @@ static void mptcp_get_sub_addrs(const struct sock *sk,
>> struct mptcp_subflow_addr
>> } else if (sk->sk_family == AF_INET6) {
>> const struct ipv6_pinfo *np = inet6_sk(sk);
>>
>> + if (!np)
This could be
if (WARN_ON_ONCE(!np))
(as suggested by Paolo) to make it clear the condition is unexpected.
>> + return;
>> +
>> a->sin6_local.sin6_family = AF_INET6;
>> a->sin6_local.sin6_port = inet->inet_sport;
>>
>> --
>> 2.33.0
Thanks,
--
Mat Martineau
Intel
Powered by blists - more mailing lists