From patchwork Thu Jun 4 17:40:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paolo Abeni X-Patchwork-Id: 1303654 X-Patchwork-Delegate: matthieu.baerts@tessares.net Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.01.org (client-ip=2001:19d0:306:5::1; helo=ml01.01.org; envelope-from=mptcp-bounces@lists.01.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=SNPb8J47; dkim-atps=neutral Received: from ml01.01.org (ml01.01.org [IPv6:2001:19d0:306:5::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49dCjZ3z6Vz9sT9 for ; Fri, 5 Jun 2020 03:40:33 +1000 (AEST) Received: from ml01.vlan13.01.org (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id DDA56100A09FB; Thu, 4 Jun 2020 10:35:25 -0700 (PDT) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=207.211.31.81; helo=us-smtp-delivery-1.mimecast.com; envelope-from=pabeni@redhat.com; receiver= Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 28E8E100A22F7 for ; Thu, 4 Jun 2020 10:35:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1591292428; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=D0oB7309Q+f8wv45zxQU+u0ub9GaEOjsHP8B5ZPLCnY=; b=SNPb8J47dEWmWinVuN7IpsS0v5fRVSG34O+Hm/lti1DELjZi79v1UbwvMGiwx+3h3X1eC3 VOKcV/ONxqWDvQihLDd9ja/7J9arS3qmDRedjV4Mm7UVa+BlDFmeQ1Ghiu938yCBNlHFa/ LVQgiDJjfRo8fqZLQS13aC4kf3JskIg= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-131-7cI5PUPPOtas9ihGSYQFYg-1; Thu, 04 Jun 2020 13:40:26 -0400 X-MC-Unique: 7cI5PUPPOtas9ihGSYQFYg-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 123E3800C78 for ; Thu, 4 Jun 2020 17:40:26 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.40.192.69]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5EB377CCC9 for ; Thu, 4 Jun 2020 17:40:25 +0000 (UTC) From: Paolo Abeni To: mptcp@lists.01.org Date: Thu, 4 Jun 2020 19:40:06 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: ATB3CKA565W6TVZXA7XVY6KYX7J6G6ZB X-Message-ID-Hash: ATB3CKA565W6TVZXA7XVY6KYX7J6G6ZB X-MailFrom: pabeni@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.1.1 Precedence: list Subject: [MPTCP] [PATCH 4/4] [DO-NOT-MERGE] mptcp: use kmalloc on kasan build List-Id: Discussions regarding MPTCP upstreaming Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Helps detection UaF, which apparently kasan misses with kmem_cache allocator. We also need to always set the SOCK_RCU_FREE flag, to preserved the current code leveraging SLAB_TYPESAFE_BY_RCU. This latter change will make unreachable some existing errors path, but I don't see other options. Signed-off-by: Paolo Abeni --- net/ipv4/af_inet.c | 3 +++ net/mptcp/protocol.c | 15 +++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index 02aa5cb3a4fd..53da7a4683d3 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -316,7 +316,10 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, answer_flags = answer->flags; rcu_read_unlock(); +#if !IS_ENABLED(CONFIG_KASAN) + /* with kasan we use kmalloc */ WARN_ON(!answer_prot->slab); +#endif err = -ENOBUFS; sk = sk_alloc(net, PF_INET, GFP_KERNEL, answer_prot, kern); diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 90e87727fde3..5ce1314a1916 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -1262,6 +1262,9 @@ static int __mptcp_init_sock(struct sock *sk) /* re-use the csk retrans timer for MPTCP-level retrans */ timer_setup(&msk->sk.icsk_retransmit_timer, mptcp_retransmit_timer, 0); +#if IS_ENABLED(CONFIG_KASAN) + sock_set_flag(sk, SOCK_RCU_FREE); +#endif return 0; } @@ -1455,7 +1458,9 @@ struct sock *mptcp_sk_clone(const struct sock *sk, msk->ack_seq = ack_seq; } +#if !IS_ENABLED(CONFIG_KASAN) sock_reset_flag(nsk, SOCK_RCU_FREE); +#endif /* will be fully established after successful MPC subflow creation */ inet_sk_state_store(nsk, TCP_SYN_RECV); bh_unlock_sock(nsk); @@ -2076,6 +2081,12 @@ static struct inet_protosw mptcp_protosw = { .flags = INET_PROTOSW_ICSK, }; +#if IS_ENABLED(CONFIG_KASAN) +#define MPTCP_USE_SLAB 0 +#else +#define MPTCP_USE_SLAB 1 +#endif + void __init mptcp_proto_init(void) { mptcp_prot.h.hashinfo = tcp_prot.h.hashinfo; @@ -2087,7 +2098,7 @@ void __init mptcp_proto_init(void) mptcp_pm_init(); mptcp_token_init(); - if (proto_register(&mptcp_prot, 1) != 0) + if (proto_register(&mptcp_prot, MPTCP_USE_SLAB) != 0) panic("Failed to register MPTCP proto.\n"); inet_register_protosw(&mptcp_protosw); @@ -2149,7 +2160,7 @@ int __init mptcp_proto_v6_init(void) mptcp_v6_prot.destroy = mptcp_v6_destroy; mptcp_v6_prot.obj_size = sizeof(struct mptcp6_sock); - err = proto_register(&mptcp_v6_prot, 1); + err = proto_register(&mptcp_v6_prot, MPTCP_USE_SLAB); if (err) return err;