[net] mptcp: fix NULL ptr dereference on bad MPJ

Message ID	7245da72fb7b1936b2c872c8a8c465012763ed17.1606385694.git.pabeni@redhat.com
State	Accepted, archived
Commit	8e76b1043ebe8ef8018d4e8041320c7b62d9cbb9
Delegated to:	Matthieu Baerts
Headers	show Return-Path: <mptcp-bounces@lists.01.org> Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=216.205.24.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=pabeni@redhat.com; receiver=<UNKNOWN> From: Paolo Abeni <pabeni@redhat.com> To: mptcp@lists.01.org Date: Thu, 26 Nov 2020 11:15:03 +0100 Message-Id: <7245da72fb7b1936b2c872c8a8c465012763ed17.1606385694.git.pabeni@redhat.com> MIME-Version: 1.0 Message-ID-Hash: NHRNWN5VYRBE6W6GDXEXT7VY224VKWMR Precedence: list Subject: [MPTCP] [PATCH net] mptcp: fix NULL ptr dereference on bad MPJ Archived-At: <https://lists.01.org/hyperkitty/list/mptcp@lists.01.org/message/NHRNWN5VYRBE6W6GDXEXT7VY224VKWMR/> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit
Series	[net] mptcp: fix NULL ptr dereference on bad MPJ \| expand [net] mptcp: fix NULL ptr dereference on bad MPJ

Message ID

7245da72fb7b1936b2c872c8a8c465012763ed17.1606385694.git.pabeni@redhat.com

State

Accepted, archived

Commit

8e76b1043ebe8ef8018d4e8041320c7b62d9cbb9

Delegated to:

Matthieu Baerts

Headers

show

Return-Path: <mptcp-bounces@lists.01.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.01.org (client-ip=198.145.21.10;
 helo=ml01.01.org; envelope-from=mptcp-bounces@lists.01.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=fail (p=none dis=none) header.from=redhat.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=VJMjQquA;
	dkim-atps=neutral
Received: from ml01.01.org (ml01.01.org [198.145.21.10])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4ChYY32bJkz9s0b
	for <incoming@patchwork.ozlabs.org>; Thu, 26 Nov 2020 21:15:18 +1100 (AEDT)
Received: from ml01.vlan13.01.org (localhost [IPv6:::1])
	by ml01.01.org (Postfix) with ESMTP id 6ABB3100ED4BC;
	Thu, 26 Nov 2020 02:15:16 -0800 (PST)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=216.205.24.124;
 helo=us-smtp-delivery-124.mimecast.com; envelope-from=pabeni@redhat.com;
 receiver=<UNKNOWN> 
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by ml01.01.org (Postfix) with ESMTPS id 693FA100ED4BA
	for <mptcp@lists.01.org>; Thu, 26 Nov 2020 02:15:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1606385713;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=JiKsudBPY1+qL0ZUNzDcbhq7sznQLAGWLHvIphjGWOE=;
	b=VJMjQquAYZkjDENxPLK1PaYjsQvHEvnkTCR2T+oGT1A1lEn8+Wb/3GITYvxdAFrv82JRf0
	REKmpN+bYL/cVjnODgP+RyXsQ7IGdjb16DzIXRTHwZuTSGeO7dzrVrYmBbs3zvUkkAS3xN
	Ka9sZD5hYljGZtbyDXJftfowHD8xPZY=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-401-w3QbhN0OPWilkm-1jshBRg-1; Thu, 26 Nov 2020 05:15:11 -0500
X-MC-Unique: w3QbhN0OPWilkm-1jshBRg-1
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
 [10.5.11.13])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 759A5100E322
	for <mptcp@lists.01.org>; Thu, 26 Nov 2020 10:15:09 +0000 (UTC)
Received: from gerbillo.redhat.com (ovpn-115-72.ams2.redhat.com
 [10.36.115.72])
	by smtp.corp.redhat.com (Postfix) with ESMTP id B78E860855
	for <mptcp@lists.01.org>; Thu, 26 Nov 2020 10:15:08 +0000 (UTC)
From: Paolo Abeni <pabeni@redhat.com>
To: mptcp@lists.01.org
Date: Thu, 26 Nov 2020 11:15:03 +0100
Message-Id: 
 <7245da72fb7b1936b2c872c8a8c465012763ed17.1606385694.git.pabeni@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=pabeni@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Message-ID-Hash: NHRNWN5VYRBE6W6GDXEXT7VY224VKWMR
X-Message-ID-Hash: NHRNWN5VYRBE6W6GDXEXT7VY224VKWMR
X-MailFrom: pabeni@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.1.1
Precedence: list
Subject: [MPTCP] [PATCH net] mptcp: fix NULL ptr dereference on bad MPJ
List-Id: Discussions regarding MPTCP upstreaming <mptcp.lists.01.org>
Archived-At: 
 <https://lists.01.org/hyperkitty/list/mptcp@lists.01.org/message/NHRNWN5VYRBE6W6GDXEXT7VY224VKWMR/>
List-Archive: <https://lists.01.org/hyperkitty/list/mptcp@lists.01.org/>
List-Help: <mailto:mptcp-request@lists.01.org?subject=help>
List-Post: <mailto:mptcp@lists.01.org>
List-Subscribe: <mailto:mptcp-join@lists.01.org>
List-Unsubscribe: <mailto:mptcp-leave@lists.01.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Series

[net] mptcp: fix NULL ptr dereference on bad MPJ | expand

Commit Message

Paolo Abeni Nov. 26, 2020, 10:15 a.m. UTC

If an msk listener receives an MPJ carrying an invalid token, it
will zero the request socket msk entry. That should later
cause fallback and subflow reset - as per RFC - at
subflow_syn_recv_sock() time due to failing hmac validation.

Since commit 4cf8b7e48a09 ("subflow: introduce and use
mptcp_can_accept_new_subflow()"), we unconditionally dereference
- in mptcp_can_accept_new_subflow - the subflow request msk
before performing hmac validation. In the above scenario we
hit a NULL ptr dereference.

Address the issue doing the hmac validation earlier.

Fixes: 4cf8b7e48a09 ("subflow: introduce and use mptcp_can_accept_new_subflow()")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
 net/mptcp/subflow.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

Comments

Matthieu Baerts Nov. 26, 2020, 11:27 a.m. UTC | #1

Hi Paolo,

On 26/11/2020 11:15, Paolo Abeni wrote:
> If an msk listener receives an MPJ carrying an invalid token, it
> will zero the request socket msk entry. That should later
> cause fallback and subflow reset - as per RFC - at
> subflow_syn_recv_sock() time due to failing hmac validation.
> 
> Since commit 4cf8b7e48a09 ("subflow: introduce and use
> mptcp_can_accept_new_subflow()"), we unconditionally dereference
> - in mptcp_can_accept_new_subflow - the subflow request msk
> before performing hmac validation. In the above scenario we
> hit a NULL ptr dereference.
> 
> Address the issue doing the hmac validation earlier.

Thanks for the fix!

Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>

Just added in our tree:
- 8e76b1043ebe: mptcp: fix NULL ptr dereference on bad MPJ
- Results: a7a4732c5cdb..aad014029dd8

Tests + export are in progress!

Cheers,
Matt

Davide Caratti Nov. 26, 2020, 11:42 a.m. UTC | #2

On Thu, 2020-11-26 at 11:15 +0100, Paolo Abeni wrote:
> If an msk listener receives an MPJ carrying an invalid token, it
> will zero the request socket msk entry. That should later
> cause fallback and subflow reset - as per RFC - at
> subflow_syn_recv_sock() time due to failing hmac validation.
> 
> Since commit 4cf8b7e48a09 ("subflow: introduce and use
> mptcp_can_accept_new_subflow()"), we unconditionally dereference
> - in mptcp_can_accept_new_subflow - the subflow request msk
> before performing hmac validation. In the above scenario we
> hit a NULL ptr dereference.
> 
> Address the issue doing the hmac validation earlier.
> 
> Fixes: 4cf8b7e48a09 ("subflow: introduce and use mptcp_can_accept_new_subflow()")
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>

kernel does not crash anymore. It still sends a 0 HMAC, and resets the
connection after the 3WHS - see https://paste.centos.org/view/d962741c
(not sure if it's RFC compliant, but for sure it fixes the issue :) )

Tested-by: Davide Caratti <dcaratti@redhat.com>

diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index ac4a1fe3550b..953906e40742 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -543,9 +543,8 @@  static struct sock *subflow_syn_recv_sock(const struct sock *sk,
 			fallback = true;
 	} else if (subflow_req->mp_join) {
 		mptcp_get_options(skb, &mp_opt);
-		if (!mp_opt.mp_join ||
-		    !mptcp_can_accept_new_subflow(subflow_req->msk) ||
-		    !subflow_hmac_valid(req, &mp_opt)) {
+		if (!mp_opt.mp_join || !subflow_hmac_valid(req, &mp_opt) ||
+		    !mptcp_can_accept_new_subflow(subflow_req->msk)) {
 			SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC);
 			fallback = true;
 		}

[net] mptcp: fix NULL ptr dereference on bad MPJ

Commit Message

Comments

Patch