[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <047cb3ef-f0c0-43e4-82e9-dc0073c8b953@kernel.org>
Date: Sat, 21 Dec 2024 11:28:26 +0100
From: Matthieu Baerts <matttbe@...nel.org>
To: Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org
Cc: Mat Martineau <martineau@...nel.org>, Geliang Tang <geliang@...nel.org>,
"David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Simon Horman <horms@...nel.org>,
mptcp@...ts.linux.dev, stable@...r.kernel.org
Subject: Re: [PATCH net] mptcp: fix TCP options overflow.
Hi Paolo,
On 21/12/2024 09:51, Paolo Abeni wrote:
> Syzbot reported the following splat:
(...)
> Eric noted a probable shinfo->nr_frags corruption, which indeed
> occurs.
>
> The root cause is a buggy MPTCP option len computation in some
> circumstances: the ADD_ADDR option should be mutually exclusive
> with DSS since the blamed commit.
>
> Still, mptcp_established_options_add_addr() tries to set the
> relevant info in mptcp_out_options, if the remaining space is
> large enough even when DSS is present.
>
> Since the ADD_ADDR infos and the DSS share the same union
> fields, adding first corrupts the latter. In the worst-case
> scenario, such corruption increases the DSS binary layout,
> exceeding the computed length and possibly overwriting the
> skb shared info.
>
> Address the issue by enforcing mutual exclusion in
> mptcp_established_options_add_addr(), too.
Thank you for the investigation and the fix, it looks good to me:
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@...nel.org>
> Reported-by: syzbot+38a095a81f30d82884c1@...kaller.appspotmail.com
If you don't mind, can you please add these two tags when applying the
patches to help to track the backports?
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/538
Cc: stable@...r.kernel.org
> Fixes: 1bff1e43a30e ("mptcp: optimize out option generation")
> Signed-off-by: Paolo Abeni <pabeni@...hat.com>
Cheers,
Matt
--
Sponsored by the NGI0 Core fund.
Powered by blists - more mailing lists