lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAAVpQUCHUd+M-Kvbvpkd5qYcmD_UfCyC_2FeF9m6HkxTC6+2Xw@mail.gmail.com>
Date: Wed, 17 Sep 2025 10:43:21 -0700
From: Kuniyuki Iwashima <kuniyu@...gle.com>
To: Matthieu Baerts <matttbe@...nel.org>
Cc: "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, 
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>, 
	Kuniyuki Iwashima <kuni1840@...il.com>, netdev@...r.kernel.org, 
	Mat Martineau <martineau@...nel.org>, Geliang Tang <geliang@...nel.org>
Subject: Re: [PATCH v2 net-next 7/7] mptcp: Use __sk_dst_get() and
 dst_dev_rcu() in mptcp_active_enable().

On Wed, Sep 17, 2025 at 3:17 AM Matthieu Baerts <matttbe@...nel.org> wrote:
>
> Hi Kuniyuki,
>
> On 16/09/2025 23:47, Kuniyuki Iwashima wrote:
> > mptcp_active_enable() is called from subflow_finish_connect(),
> > which is icsk->icsk_af_ops->sk_rx_dst_set() and it's not always
> > under RCU.
> >
> > Using sk_dst_get(sk)->dev could trigger UAF.
> >
> > Let's use __sk_dst_get() and dst_dev_rcu().
> >
> > Fixes: 27069e7cb3d1 ("mptcp: disable active MPTCP in case of blackhole")
> > Signed-off-by: Kuniyuki Iwashima <kuniyu@...gle.com>
>
> Thank you for the fix! It looks good to me!
>
> Reviewed-by: Matthieu Baerts (NGI0) <matttbe@...nel.org>
>
> > ---
> > Cc: Matthieu Baerts <matttbe@...nel.org>
> > Cc: Mat Martineau <martineau@...nel.org>
> > Cc: Geliang Tang <geliang@...nel.org>
> > ---
> >  net/mptcp/ctrl.c | 11 +++++++----
> >  1 file changed, 7 insertions(+), 4 deletions(-)
> >
> > diff --git a/net/mptcp/ctrl.c b/net/mptcp/ctrl.c
> > index c0e516872b4b..e8ffa62ec183 100644
> > --- a/net/mptcp/ctrl.c
> > +++ b/net/mptcp/ctrl.c
> > @@ -501,12 +501,15 @@ void mptcp_active_enable(struct sock *sk)
> >       struct mptcp_pernet *pernet = mptcp_get_pernet(sock_net(sk));
> >
> >       if (atomic_read(&pernet->active_disable_times)) {
> > -             struct dst_entry *dst = sk_dst_get(sk);
> > +             struct net_device *dev;
> > +             struct dst_entry *dst;
> >
> > -             if (dst && dst->dev && (dst->dev->flags & IFF_LOOPBACK))
>
> Mmh, I don't know why but the condition was already wrong before your
> patch. It should be the opposite: we should reset if we manage to open
> an MPTCP connection on a non-loopback interface...
>
> I don't want to block this series for this non-directly related issue.
> If you prefer, I can send a fix when this series will be applied. I
> guess it would be easier to send it to net-next to avoid conflicts,
> which should be fine if we are close to the merge windows.

Sounds good to me.

Thanks for the review!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ