Message ID | 65f44ff773902fc1e7e2d03f8ae4b5632f1e2164.1591291903.git.pabeni@redhat.com |
---|---|
State | Accepted, archived |
Delegated to: | Matthieu Baerts |
Headers | show
Return-Path: <mptcp-bounces@lists.01.org> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.01.org (client-ip=198.145.21.10; helo=ml01.01.org; envelope-from=mptcp-bounces@lists.01.org; receiver=<UNKNOWN>) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=JrnUK00o; dkim-atps=neutral Received: from ml01.01.org (ml01.01.org [198.145.21.10]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49dCjZ0z4kz9sSn for <incoming@patchwork.ozlabs.org>; Fri, 5 Jun 2020 03:40:32 +1000 (AEST) Received: from ml01.vlan13.01.org (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id CD4F7100A22F8; Thu, 4 Jun 2020 10:35:24 -0700 (PDT) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=205.139.110.61; helo=us-smtp-delivery-1.mimecast.com; envelope-from=pabeni@redhat.com; receiver=<UNKNOWN> Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id B7B22100A302C for <mptcp@lists.01.org>; Thu, 4 Jun 2020 10:35:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1591292427; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=L+mVsA598HwDsS2jL8E4qlg8ID/45wqSBWFllMWapU8=; b=JrnUK00oqhFjvPg42MmVdU+0mQ1p5DB0YVCnmsVwhbW4w8rfBEwBCR2PzOCT4gMXez6f+3 PFy9xfJeEBOv/h30/UdVmieWcl/GlPJ8B4y2UwBzBqsZSshKXMknPlQsmuCycqa5ivGpTD 42edf+qi9Pn7u1xyfcYsHjxnT9oDHsc= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-474-3WPTaa2uPFGM44bcqiFmYA-1; Thu, 04 Jun 2020 13:40:25 -0400 X-MC-Unique: 3WPTaa2uPFGM44bcqiFmYA-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E67B5835B40 for <mptcp@lists.01.org>; Thu, 4 Jun 2020 17:40:24 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.40.192.69]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3F8E47CCC2 for <mptcp@lists.01.org>; Thu, 4 Jun 2020 17:40:24 +0000 (UTC) From: Paolo Abeni <pabeni@redhat.com> To: mptcp@lists.01.org Date: Thu, 4 Jun 2020 19:40:05 +0200 Message-Id: <65f44ff773902fc1e7e2d03f8ae4b5632f1e2164.1591291903.git.pabeni@redhat.com> In-Reply-To: <cover.1591291903.git.pabeni@redhat.com> References: <cover.1591291903.git.pabeni@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: ZBPCTBNGBLYEPXDS3I2RY4JXSB7B66U7 X-Message-ID-Hash: ZBPCTBNGBLYEPXDS3I2RY4JXSB7B66U7 X-MailFrom: pabeni@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.1.1 Precedence: list Subject: [MPTCP] [PATCH 3/4] mptcp: don't leak msk in token container List-Id: Discussions regarding MPTCP upstreaming <mptcp.lists.01.org> Archived-At: <https://lists.01.org/hyperkitty/list/mptcp@lists.01.org/message/ZBPCTBNGBLYEPXDS3I2RY4JXSB7B66U7/> List-Archive: <https://lists.01.org/hyperkitty/list/mptcp@lists.01.org/> List-Help: <mailto:mptcp-request@lists.01.org?subject=help> List-Post: <mailto:mptcp@lists.01.org> List-Subscribe: <mailto:mptcp-join@lists.01.org> List-Unsubscribe: <mailto:mptcp-leave@lists.01.org> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit |
Series |
mptcp: token refactor follow-up
|
expand
|
diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index fcb9ca9a9dce..229ffff4b217 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -393,6 +393,7 @@ static void mptcp_sock_destruct(struct sock *sk) sock_orphan(sk); } + mptcp_token_destroy(mptcp_sk(sk)); inet_sock_destruct(sk); }
When the left-over msk is freed by subflow_syn_recv_sock(), we don't invoke the proto->destroy() method, to the socket is not removed from the token container, leading to later UaF. Address the issue explicitly removing the token even in the above error path. Signed-off-by: Paolo Abeni <pabeni@redhat.com> --- note: - the net patch will be slightly different, to cope with the token API changes introduced by the token refactor --- net/mptcp/subflow.c | 1 + 1 file changed, 1 insertion(+)