lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 29 May 2020 10:35:45 -0700 (PDT) From: Mat Martineau <mathew.j.martineau@...ux.intel.com> To: Paolo Abeni <pabeni@...hat.com> cc: netdev@...r.kernel.org, "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org> Subject: Re: [PATCH net 2/3] mptcp: fix race between MP_JOIN and close On Fri, 29 May 2020, Paolo Abeni wrote: > If a MP_JOIN subflow completes the 3whs while another > CPU is closing the master msk, we can hit the > following race: > > CPU1 CPU2 > > close() > mptcp_close > subflow_syn_recv_sock > mptcp_token_get_sock > mptcp_finish_join > inet_sk_state_load > mptcp_token_destroy > inet_sk_state_store(TCP_CLOSE) > __mptcp_flush_join_list() > mptcp_sock_graft > list_add_tail > sk_common_release > sock_orphan() > <socket free> > > The MP_JOIN socket will be leaked. Additionally we can hit > UaF for the msk 'struct socket' referenced via the 'conn' > field. > > This change try to address the issue introducing some > synchronization between the MP_JOIN 3whs and mptcp_close > via the join_list spinlock. If we detect the msk is closing > the MP_JOIN socket is closed, too. > > Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests") > Signed-off-by: Paolo Abeni <pabeni@...hat.com> > --- > net/mptcp/protocol.c | 42 +++++++++++++++++++++++++++--------------- > 1 file changed, 27 insertions(+), 15 deletions(-) > Reviewed-by: Mat Martineau <mathew.j.martineau@...ux.intel.com> -- Mat Martineau Intel
Powered by blists - more mailing lists