]> git.baikalelectronics.ru Git - kernel.git/commit
mptcp: fix use-after-free for ipv6
authorFlorian Westphal <fw@strlen.de>
Wed, 5 Feb 2020 23:39:37 +0000 (00:39 +0100)
committerDavid S. Miller <davem@davemloft.net>
Thu, 6 Feb 2020 10:25:09 +0000 (11:25 +0100)
commit132e6a7da68c5a2b4cd1b7d540ef5b388a81ca1b
treeb95ccc010e7691b0715d76e2b9f74e4489876894
parent1aac34c54ee74498f72a09ddc80fe3252ab38420
mptcp: fix use-after-free for ipv6

Turns out that when we accept a new subflow, the newly created
inet_sk(tcp_sk)->pinet6 points at the ipv6_pinfo structure of the
listener socket.

This wasn't caught by the selftest because it closes the accepted fd
before the listening one.

adding a close(listenfd) after accept returns is enough:
 BUG: KASAN: use-after-free in inet6_getname+0x6ba/0x790
 Read of size 1 at addr ffff88810e310866 by task mptcp_connect/2518
 Call Trace:
  inet6_getname+0x6ba/0x790
  __sys_getpeername+0x10b/0x250
  __x64_sys_getpeername+0x6f/0xb0

also alter test program to exercise this.

Reported-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/mptcp/protocol.c
tools/testing/selftests/net/mptcp/mptcp_connect.c