From patchwork Wed Jun 10 08:49:00 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Paolo Abeni <pabeni@redhat.com>
X-Patchwork-Id: 1306666
Return-Path: <mptcp-bounces@lists.01.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.01.org (client-ip=198.145.21.10;
 helo=ml01.01.org; envelope-from=mptcp-bounces@lists.01.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=fail (p=none dis=none) header.from=redhat.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=ibU1I3sw;
	dkim-atps=neutral
Received: from ml01.01.org (ml01.01.org [198.145.21.10])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 49hgfZ4SwJz9sSS
	for <incoming@patchwork.ozlabs.org>; Wed, 10 Jun 2020 18:49:58 +1000 (AEST)
Received: from ml01.vlan13.01.org (localhost [IPv6:::1])
	by ml01.01.org (Postfix) with ESMTP id 29038100A3CF3;
	Wed, 10 Jun 2020 01:49:56 -0700 (PDT)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=207.211.31.81;
 helo=us-smtp-1.mimecast.com; envelope-from=pabeni@redhat.com;
 receiver=<UNKNOWN>
Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by ml01.01.org (Postfix) with ESMTPS id 0B65B100A457E
	for <mptcp@lists.01.org>; Wed, 10 Jun 2020 01:49:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1591778989;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=uzLvNrggJaRirO+WLYK4fkDQH7nTtGJL89/rrpcDbYU=;
	b=ibU1I3swTNAsgaRoUes6o6QuHLN3/9nzi7xecQVqu4VvObFyB0Geu2A0ZWfhGyRdTZeA34
	iIx1SYNrzmpoZQTIwbi373F4XHl/hY36OwnYsLOVGvz+aGp6nMQQK7HhXQCUsvAmOTqL5U
	iZKM8GGC8a6dPzMddYwmG8zzSaLy3Oo=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-15-x6tuKzh4PvSz18VtxzP8AA-1; Wed, 10 Jun 2020 04:49:47 -0400
X-MC-Unique: x6tuKzh4PvSz18VtxzP8AA-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
 [10.5.11.12])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 57529193F561;
	Wed, 10 Jun 2020 08:49:45 +0000 (UTC)
Received: from linux.fritz.box.com (ovpn-114-163.ams2.redhat.com
 [10.36.114.163])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 020C161169;
	Wed, 10 Jun 2020 08:49:43 +0000 (UTC)
From: Paolo Abeni <pabeni@redhat.com>
To: netdev@vger.kernel.org
Date: Wed, 10 Jun 2020 10:49:00 +0200
Message-Id: 
 <f52cfae0ddacd91b37a804f19a6ffa2f79efe56f.1591778889.git.pabeni@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
Message-ID-Hash: XLUR4SZKKJHIB7TOUMY44665BTOYQ6FM
X-Message-ID-Hash: XLUR4SZKKJHIB7TOUMY44665BTOYQ6FM
X-MailFrom: pabeni@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
CC: "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>,
 mptcp@lists.01.org
X-Mailman-Version: 3.1.1
Precedence: list
Subject: [MPTCP] [PATCH net] mptcp: don't leak msk in token container
List-Id: Discussions regarding MPTCP upstreaming <mptcp.lists.01.org>
Archived-At: 
 <https://lists.01.org/hyperkitty/list/mptcp@lists.01.org/message/XLUR4SZKKJHIB7TOUMY44665BTOYQ6FM/>
List-Archive: <https://lists.01.org/hyperkitty/list/mptcp@lists.01.org/>
List-Help: <mailto:mptcp-request@lists.01.org?subject=help>
List-Post: <mailto:mptcp@lists.01.org>
List-Subscribe: <mailto:mptcp-join@lists.01.org>
List-Unsubscribe: <mailto:mptcp-leave@lists.01.org>

If a listening MPTCP socket has unaccepted sockets at close
time, the related msks are freed via mptcp_sock_destruct(),
which in turn does not invoke the proto->destroy() method
nor the mptcp_token_destroy() function.

Due to the above, the child msk socket is not removed from
the token container, leading to later UaF.

Address the issue explicitly removing the token even in the
above error path.

Fixes: 79c0949e9a09 ("mptcp: Add key generation and token tree")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
---
 net/mptcp/subflow.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index 493b98a0825c..bf132575040d 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -393,6 +393,7 @@ static void mptcp_sock_destruct(struct sock *sk)
 		sock_orphan(sk);
 	}
 
+	mptcp_token_destroy(mptcp_sk(sk)->token);
 	inet_sock_destruct(sk);
 }