| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 05 Feb 2020 14:08:35 +0100 (CET) From: David Miller <davem@...emloft.net> To: fw@...len.de Cc: netdev@...r.kernel.org, cpaasch@...le.com, pabeni@...hat.com Subject: Re: [PATCH net] mptcp: fix use-after-free on tcp fallback From: Florian Westphal <fw@...len.de> Date: Tue, 4 Feb 2020 18:12:30 +0100 > When an mptcp socket connects to a tcp peer or when a middlebox interferes > with tcp options, mptcp needs to fall back to plain tcp. > Problem is that mptcp is trying to be too clever in this case: > > It attempts to close the mptcp meta sk and transparently replace it with > the (only) subflow tcp sk. > > Unfortunately, this is racy -- the socket is already exposed to userspace. > Any parallel calls to send/recv/setsockopt etc. can cause use-after-free: > > BUG: KASAN: use-after-free in atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:693 [inline] ... > While the use-after-free can be resolved, there is another problem: > sock->ops and sock->sk assignments are not atomic, i.e. we may get calls > into mptcp functions with sock->sk already pointing at the subflow socket, > or calls into tcp functions with a mptcp meta sk. > > Remove the fallback code and call the relevant functions for the (only) > subflow in case the mptcp socket is connected to tcp peer. > > Reported-by: Christoph Paasch <cpaasch@...le.com> > Diagnosed-by: Paolo Abeni <pabeni@...hat.com> > Signed-off-by: Florian Westphal <fw@...len.de> Applied, thanks Florian.
Powered by blists - more mailing lists