lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <047cb3ef-f0c0-43e4-82e9-dc0073c8b953@kernel.org>
Date: Sat, 21 Dec 2024 11:28:26 +0100
From: Matthieu Baerts <matttbe@...nel.org>
To: Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org
Cc: Mat Martineau <martineau@...nel.org>, Geliang Tang <geliang@...nel.org>,
 "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
 Jakub Kicinski <kuba@...nel.org>, Simon Horman <horms@...nel.org>,
 mptcp@...ts.linux.dev, stable@...r.kernel.org
Subject: Re: [PATCH net] mptcp: fix TCP options overflow.

Hi Paolo,

On 21/12/2024 09:51, Paolo Abeni wrote:
> Syzbot reported the following splat:

(...)

> Eric noted a probable shinfo->nr_frags corruption, which indeed
> occurs.
> 
> The root cause is a buggy MPTCP option len computation in some
> circumstances: the ADD_ADDR option should be mutually exclusive
> with DSS since the blamed commit.
> 
> Still, mptcp_established_options_add_addr() tries to set the
> relevant info in mptcp_out_options, if the remaining space is
> large enough even when DSS is present.
> 
> Since the ADD_ADDR infos and the DSS share the same union
> fields, adding first corrupts the latter. In the worst-case
> scenario, such corruption increases the DSS binary layout,
> exceeding the computed length and possibly overwriting the
> skb shared info.
> 
> Address the issue by enforcing mutual exclusion in
> mptcp_established_options_add_addr(), too.

Thank you for the investigation and the fix, it looks good to me:

Reviewed-by: Matthieu Baerts (NGI0) <matttbe@...nel.org>

> Reported-by: syzbot+38a095a81f30d82884c1@...kaller.appspotmail.com

If you don't mind, can you please add these two tags when applying the
patches to help to track the backports?

Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/538
Cc: stable@...r.kernel.org

> Fixes: 1bff1e43a30e ("mptcp: optimize out option generation")
> Signed-off-by: Paolo Abeni <pabeni@...hat.com>
Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ