• Paolo Abeni's avatar
    mptcp: fix UaF in listener shutdown · 0a3f4f1f
    Paolo Abeni authored
    As reported by Christoph after having refactored the passive
    socket initialization, the mptcp listener shutdown path is prone
    to an UaF issue.
    
      BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x73/0xe0
      Write of size 4 at addr ffff88810cb23098 by task syz-executor731/1266
    
      CPU: 1 PID: 1266 Comm: syz-executor731 Not tainted 6.2.0-rc59af4eaa31c1f6c00c8f1e448ed99a45c66340dd5 #6
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
      Call Trace:
       <TASK>
       dump_stack_lvl+0x6e/0x91
       print_report+0x16a/0x46f
       kasan_report+0xad/0x130
       kasan_check_range+0x14a/0x1a0
       _raw_spin_lock_bh+0x73/0xe0
       subflow_error_report+0x6d/0x110
       sk_error_report+0x3b/0x190
       tcp_disconnect+0x138c/0x1aa0
       inet_child_forget+0x6f/0x2e0
       inet_csk_listen_stop+0x209/0x1060
       __mptcp_close_ssk+0x52d/0x610
       mptcp_destroy_common+0x165/0x640
       mptcp_destroy+0x13/0x80
       __mptcp_destroy_sock+0xe7/0x270
       __mptcp_close+0x70e/0x9b0
       mptcp_close+0x2b/0x150
       inet_release+0xe9/0x1f0
       __sock_release+0xd2/0x280
       sock_close+0x15/0x20
       __fput+0x252/0xa20
       task_work_run+0x169/0x250
       exit_to_user_mode_prepare+0x113/0x120
       syscall_exit_to_user_mode+0x1d/0x40
       do_syscall_64+0x48/0x90
       entry_SYSCALL_64_after_hwframe+0x72/0xdc
    
    The msk grace period can legitly expire in between the last
    reference count dropped in mptcp_subflow_queue_clean() and
    the later eventual access in inet_csk_listen_stop()
    
    After the previous patch we don't need anymore special-casing
    msk listener socket cleanup: the mptcp worker will process each
    of the unaccepted msk sockets.
    
    Just drop the now unnecessary code.
    
    Please note this commit depends on the two parent ones:
    
      mptcp: refactor passive socket initialization
      mptcp: use the workqueue to destroy unaccepted sockets
    
    Fixes: 6aeed904 ("mptcp: fix race on unaccepted mptcp sockets")
    Cc: stable@vger.kernel.org
    Reported-and-tested-by: default avatarChristoph Paasch <cpaasch@apple.com>
    Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/346Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
    Reviewed-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
    Signed-off-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
    Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
    0a3f4f1f
protocol.c 99 KB