From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2AB39C433E0 for ; Tue, 16 Jun 2020 15:46:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 01F392098B for ; Tue, 16 Jun 2020 15:46:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1592322382; bh=H2+Cp8gjTj/jO87CDcmTBryoXX5RnUkQjR6CJ67DnkU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Mnvz4QvxRkt+t5oD7Bm7/cmS5W+jO6NXMhFAq98oAHENnjiWVu4jrxUIvJVWbt4ms dqqrwgxFlF5PwPBUbLlUCXvUJEwpTVZfgAlmFE+qS3upJYFEusHR2h54a+P2/t4a2V NFi5Ct+tH3jCNh6KjCFG2a/T9EEOPAWIxx//vfaE= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732190AbgFPPqV (ORCPT ); Tue, 16 Jun 2020 11:46:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:38290 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732163AbgFPPqS (ORCPT ); Tue, 16 Jun 2020 11:46:18 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0F5C72071A; Tue, 16 Jun 2020 15:46:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1592322378; bh=H2+Cp8gjTj/jO87CDcmTBryoXX5RnUkQjR6CJ67DnkU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KbcvxLudGEwSL7EMwNp8XU+14xNv9rnE62PhIJEIIx0CKcBw8s66S1qyOR6uJ7Rdw yEQjOMbPD3MVgL9A8RIl26NX03gVBjcKLP7XW8p/39O9fs0iPT/4wpHgOM7BCgxDW+ kOau2yI2aW1RI72WWzuzh9tFqhsflepS9uL+NRc4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Paolo Abeni , Matthieu Baerts , "David S. Miller" Subject: [PATCH 5.7 108/163] mptcp: dont leak msk in token container Date: Tue, 16 Jun 2020 17:34:42 +0200 Message-Id: <20200616153111.982041311@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200616153106.849127260@linuxfoundation.org> References: <20200616153106.849127260@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Paolo Abeni [ Upstream commit 4b5af44129d0653a4df44e5511c7d480c61c8f3c ] If a listening MPTCP socket has unaccepted sockets at close time, the related msks are freed via mptcp_sock_destruct(), which in turn does not invoke the proto->destroy() method nor the mptcp_token_destroy() function. Due to the above, the child msk socket is not removed from the token container, leading to later UaF. Address the issue explicitly removing the token even in the above error path. Fixes: 79c0949e9a09 ("mptcp: Add key generation and token tree") Signed-off-by: Paolo Abeni Reviewed-by: Matthieu Baerts Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/mptcp/subflow.c | 1 + 1 file changed, 1 insertion(+) --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -393,6 +393,7 @@ static void mptcp_sock_destruct(struct s sock_orphan(sk); } + mptcp_token_destroy(mptcp_sk(sk)->token); inet_sock_destruct(sk); }