[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CANn89iKU8TwoiZHPwdEAy2w=RhmbDci3n6Wux=oM1YzrkfdzpQ@mail.gmail.com>
Date: Mon, 23 Dec 2024 10:46:43 +0100
From: Eric Dumazet <edumazet@...gle.com>
To: Matthieu Baerts <matttbe@...nel.org>
Cc: Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org,
Mat Martineau <martineau@...nel.org>, Geliang Tang <geliang@...nel.org>,
"David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, Simon Horman <horms@...nel.org>,
mptcp@...ts.linux.dev, stable@...r.kernel.org
Subject: Re: [PATCH net] mptcp: fix TCP options overflow.
On Sat, Dec 21, 2024 at 11:28 AM Matthieu Baerts <matttbe@...nel.org> wrote:
>
> Hi Paolo,
>
> On 21/12/2024 09:51, Paolo Abeni wrote:
> > Syzbot reported the following splat:
>
> (...)
>
> > Eric noted a probable shinfo->nr_frags corruption, which indeed
> > occurs.
> >
> > The root cause is a buggy MPTCP option len computation in some
> > circumstances: the ADD_ADDR option should be mutually exclusive
> > with DSS since the blamed commit.
> >
> > Still, mptcp_established_options_add_addr() tries to set the
> > relevant info in mptcp_out_options, if the remaining space is
> > large enough even when DSS is present.
> >
> > Since the ADD_ADDR infos and the DSS share the same union
> > fields, adding first corrupts the latter. In the worst-case
> > scenario, such corruption increases the DSS binary layout,
> > exceeding the computed length and possibly overwriting the
> > skb shared info.
> >
> > Address the issue by enforcing mutual exclusion in
> > mptcp_established_options_add_addr(), too.
>
> Thank you for the investigation and the fix, it looks good to me:
>
> Reviewed-by: Matthieu Baerts (NGI0) <matttbe@...nel.org>
>
> > Reported-by: syzbot+38a095a81f30d82884c1@...kaller.appspotmail.com
>
> If you don't mind, can you please add these two tags when applying the
> patches to help to track the backports?
>
> Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/538
> Cc: stable@...r.kernel.org
>
Thanks for the fix !
Reviewed-by: Eric Dumazet <edumazet@...gle.com>
Powered by blists - more mailing lists