From: Simon Horman <horms@kernel.org>
To: Eric Dumazet <edumazet@google.com>
Cc: "David S . Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Matthieu Baerts <matttbe@kernel.org>,
Mat Martineau <martineau@kernel.org>,
Geliang Tang <geliang.tang@linux.dev>,
Florian Westphal <fw@strlen.de>,
netdev@vger.kernel.org, eric.dumazet@gmail.com,
syzbot <syzkaller@googlegroups.com>,
Peter Krystad <peter.krystad@linux.intel.com>
Subject: Re: [PATCH net 4/5] mptcp: use OPTION_MPTCP_MPJ_SYN in subflow_check_req()
Date: Fri, 12 Jan 2024 19:37:05 +0000 [thread overview]
Message-ID: <20240112193705.GF392144@kernel.org> (raw)
In-Reply-To: <20240111194917.4044654-5-edumazet@google.com>
On Thu, Jan 11, 2024 at 07:49:16PM +0000, Eric Dumazet wrote:
> syzbot reported that subflow_check_req() was using uninitialized data in
> subflow_check_req() [1]
>
> This is because mp_opt.token is only set when OPTION_MPTCP_MPJ_SYN is also set.
>
> While we are are it, fix mptcp_subflow_init_cookie_req()
> to test for OPTION_MPTCP_MPJ_ACK.
>
> [1]
>
> BUG: KMSAN: uninit-value in subflow_token_join_request net/mptcp/subflow.c:91 [inline]
> BUG: KMSAN: uninit-value in subflow_check_req+0x1028/0x15d0 net/mptcp/subflow.c:209
> subflow_token_join_request net/mptcp/subflow.c:91 [inline]
> subflow_check_req+0x1028/0x15d0 net/mptcp/subflow.c:209
> subflow_v6_route_req+0x269/0x410 net/mptcp/subflow.c:367
> tcp_conn_request+0x153a/0x4240 net/ipv4/tcp_input.c:7164
> subflow_v6_conn_request+0x3ee/0x510
> tcp_rcv_state_process+0x2e1/0x4ac0 net/ipv4/tcp_input.c:6659
> tcp_v6_do_rcv+0x11bf/0x1fe0 net/ipv6/tcp_ipv6.c:1669
> tcp_v6_rcv+0x480b/0x4fb0 net/ipv6/tcp_ipv6.c:1900
> ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438
> ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
> NF_HOOK include/linux/netfilter.h:314 [inline]
> ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
> dst_input include/net/dst.h:461 [inline]
> ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79
> NF_HOOK include/linux/netfilter.h:314 [inline]
> ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310
> __netif_receive_skb_one_core net/core/dev.c:5532 [inline]
> __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646
> netif_receive_skb_internal net/core/dev.c:5732 [inline]
> netif_receive_skb+0x58/0x660 net/core/dev.c:5791
> tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555
> tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002
> tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
> call_write_iter include/linux/fs.h:2020 [inline]
> new_sync_write fs/read_write.c:491 [inline]
> vfs_write+0x8ef/0x1490 fs/read_write.c:584
> ksys_write+0x20f/0x4c0 fs/read_write.c:637
> __do_sys_write fs/read_write.c:649 [inline]
> __se_sys_write fs/read_write.c:646 [inline]
> __x64_sys_write+0x93/0xd0 fs/read_write.c:646
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x63/0x6b
>
> Local variable mp_opt created at:
> subflow_check_req+0x6d/0x15d0 net/mptcp/subflow.c:145
> subflow_v6_route_req+0x269/0x410 net/mptcp/subflow.c:367
>
> CPU: 1 PID: 5924 Comm: syz-executor.3 Not tainted 6.7.0-rc8-syzkaller-00055-g5eff55d725a4 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
>
> Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests")
> Reported-by: syzbot <syzkaller@googlegroups.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
next prev parent reply other threads:[~2024-01-12 19:37 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-11 19:49 [PATCH net 0/5] mptcp: better validation of MPTCPOPT_MP_JOIN option Eric Dumazet
2024-01-11 19:49 ` [PATCH net 1/5] mptcp: mptcp_parse_option() fix for MPTCPOPT_MP_JOIN Eric Dumazet
2024-01-12 19:35 ` Simon Horman
2024-01-11 19:49 ` [PATCH net 2/5] mptcp: strict validation before using mp_opt->hmac Eric Dumazet
2024-01-12 19:36 ` Simon Horman
2024-01-11 19:49 ` [PATCH net 3/5] mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect() Eric Dumazet
2024-01-12 19:36 ` Simon Horman
2024-01-11 19:49 ` [PATCH net 4/5] mptcp: use OPTION_MPTCP_MPJ_SYN in subflow_check_req() Eric Dumazet
2024-01-12 19:37 ` Simon Horman [this message]
2024-01-11 19:49 ` [PATCH net 5/5] mptcp: refine opt_mp_capable determination Eric Dumazet
2024-01-12 18:58 ` Mat Martineau
2024-01-12 19:37 ` Simon Horman
2024-01-12 17:43 ` [PATCH net 0/5] mptcp: better validation of MPTCPOPT_MP_JOIN option Paolo Abeni
2024-01-12 18:53 ` Mat Martineau
2024-01-13 2:30 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240112193705.GF392144@kernel.org \
--to=horms@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=fw@strlen.de \
--cc=geliang.tang@linux.dev \
--cc=kuba@kernel.org \
--cc=martineau@kernel.org \
--cc=matttbe@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=peter.krystad@linux.intel.com \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.