| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 29 May 2020 10:35:45 -0700 (PDT)
From: Mat Martineau <mathew.j.martineau@...ux.intel.com>
To: Paolo Abeni <pabeni@...hat.com>
cc: netdev@...r.kernel.org, "David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>
Subject: Re: [PATCH net 2/3] mptcp: fix race between MP_JOIN and close
On Fri, 29 May 2020, Paolo Abeni wrote:
> If a MP_JOIN subflow completes the 3whs while another
> CPU is closing the master msk, we can hit the
> following race:
>
> CPU1 CPU2
>
> close()
> mptcp_close
> subflow_syn_recv_sock
> mptcp_token_get_sock
> mptcp_finish_join
> inet_sk_state_load
> mptcp_token_destroy
> inet_sk_state_store(TCP_CLOSE)
> __mptcp_flush_join_list()
> mptcp_sock_graft
> list_add_tail
> sk_common_release
> sock_orphan()
> <socket free>
>
> The MP_JOIN socket will be leaked. Additionally we can hit
> UaF for the msk 'struct socket' referenced via the 'conn'
> field.
>
> This change try to address the issue introducing some
> synchronization between the MP_JOIN 3whs and mptcp_close
> via the join_list spinlock. If we detect the msk is closing
> the MP_JOIN socket is closed, too.
>
> Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests")
> Signed-off-by: Paolo Abeni <pabeni@...hat.com>
> ---
> net/mptcp/protocol.c | 42 +++++++++++++++++++++++++++---------------
> 1 file changed, 27 insertions(+), 15 deletions(-)
>
Reviewed-by: Mat Martineau <mathew.j.martineau@...ux.intel.com>
--
Mat Martineau
Intel
Powered by blists - more mailing lists