From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Yuchung Cheng <ycheng@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.18 19/24] tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets
Date: Fri, 27 Apr 2018 15:57:54 +0200 [thread overview]
Message-ID: <20180427135632.373548822@linuxfoundation.org> (raw)
In-Reply-To: <20180427135631.584839868@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 7212303268918b9a203aebeacfdbd83b5e87b20d ]
syzbot/KMSAN reported an uninit-value in tcp_parse_options() [1]
I believe this was caused by a TCP_MD5SIG being set on live
flow.
This is highly unexpected, since TCP option space is limited.
For instance, presence of TCP MD5 option automatically disables
TCP TimeStamp option at SYN/SYNACK time, which we can not do
once flow has been established.
Really, adding/deleting an MD5 key only makes sense on sockets
in CLOSE or LISTEN state.
[1]
BUG: KMSAN: uninit-value in tcp_parse_options+0xd74/0x1a30 net/ipv4/tcp_input.c:3720
CPU: 1 PID: 6177 Comm: syzkaller192004 Not tainted 4.16.0+ #83
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:53
kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
__msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
tcp_parse_options+0xd74/0x1a30 net/ipv4/tcp_input.c:3720
tcp_fast_parse_options net/ipv4/tcp_input.c:3858 [inline]
tcp_validate_incoming+0x4f1/0x2790 net/ipv4/tcp_input.c:5184
tcp_rcv_established+0xf60/0x2bb0 net/ipv4/tcp_input.c:5453
tcp_v4_do_rcv+0x6cd/0xd90 net/ipv4/tcp_ipv4.c:1469
sk_backlog_rcv include/net/sock.h:908 [inline]
__release_sock+0x2d6/0x680 net/core/sock.c:2271
release_sock+0x97/0x2a0 net/core/sock.c:2786
tcp_sendmsg+0xd6/0x100 net/ipv4/tcp.c:1464
inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg net/socket.c:640 [inline]
SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747
SyS_sendto+0x8a/0xb0 net/socket.c:1715
do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x448fe9
RSP: 002b:00007fd472c64d38 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00000000006e5a30 RCX: 0000000000448fe9
RDX: 000000000000029f RSI: 0000000020a88f88 RDI: 0000000000000004
RBP: 00000000006e5a34 R08: 0000000020e68000 R09: 0000000000000010
R10: 00000000200007fd R11: 0000000000000216 R12: 0000000000000000
R13: 00007fff074899ef R14: 00007fd472c659c0 R15: 0000000000000009
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
slab_post_alloc_hook mm/slab.h:445 [inline]
slab_alloc_node mm/slub.c:2737 [inline]
__kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
__kmalloc_reserve net/core/skbuff.c:138 [inline]
__alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
alloc_skb include/linux/skbuff.h:984 [inline]
tcp_send_ack+0x18c/0x910 net/ipv4/tcp_output.c:3624
__tcp_ack_snd_check net/ipv4/tcp_input.c:5040 [inline]
tcp_ack_snd_check net/ipv4/tcp_input.c:5053 [inline]
tcp_rcv_established+0x2103/0x2bb0 net/ipv4/tcp_input.c:5469
tcp_v4_do_rcv+0x6cd/0xd90 net/ipv4/tcp_ipv4.c:1469
sk_backlog_rcv include/net/sock.h:908 [inline]
__release_sock+0x2d6/0x680 net/core/sock.c:2271
release_sock+0x97/0x2a0 net/core/sock.c:2786
tcp_sendmsg+0xd6/0x100 net/ipv4/tcp.c:1464
inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg net/socket.c:640 [inline]
SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747
SyS_sendto+0x8a/0xb0 net/socket.c:1715
do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2593,8 +2593,10 @@ static int do_tcp_setsockopt(struct sock
#ifdef CONFIG_TCP_MD5SIG
case TCP_MD5SIG:
- /* Read the IP->Key mappings from userspace */
- err = tp->af_specific->md5_parse(sk, optval, optlen);
+ if ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))
+ err = tp->af_specific->md5_parse(sk, optval, optlen);
+ else
+ err = -EINVAL;
break;
#endif
case TCP_USER_TIMEOUT:
next prev parent reply other threads:[~2018-04-27 13:57 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-27 13:57 [PATCH 3.18 00/24] 3.18.107-stable review Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 01/24] cifs: do not allow creating sockets except with SMB1 posix exensions Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 02/24] x86/tsc: Prevent 32bit truncation in calc_hpet_ref() Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 03/24] ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea() Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 04/24] ext4: bugfix for mmaped pages in mpage_release_unused_pages() Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 05/24] ext4: dont update checksum of new initialized bitmaps Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 06/24] perf: Return proper values for user stack errors Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 07/24] mm/filemap.c: fix NULL pointer in page_cache_tree_insert() Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 08/24] jbd2: fix use after free in kjournald2() Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 09/24] bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 10/24] KEYS: DNS: limit the length of option strings Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 11/24] l2tp: check sockaddr length in pppol2tp_connect() Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 12/24] tcp: dont read out-of-bounds opsize Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 13/24] team: avoid adding twice the same option to the event list Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 14/24] team: fix netconsole setup over team Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 15/24] pppoe: check sockaddr length in pppoe_connect() Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 16/24] llc: hold llc_sap before release_sock() Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 17/24] llc: fix NULL pointer deref for SOCK_ZAPPED Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 18/24] packet: fix bitfield update race Greg Kroah-Hartman
2018-04-27 13:57 ` Greg Kroah-Hartman [this message]
2018-04-27 13:57 ` [PATCH 3.18 20/24] net: af_packet: fix race in PACKET_{R|T}X_RING Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 21/24] llc: delete timers synchronously in llc_sk_free() Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 22/24] ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 23/24] scsi: mptsas: Disable WRITE SAME Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 24/24] cdrom: information leak in cdrom_ioctl_media_changed() Greg Kroah-Hartman
2018-04-27 16:00 ` [PATCH 3.18 00/24] 3.18.107-stable review Dede Dindin Qudsy
2018-04-28 5:51 ` Greg Kroah-Hartman
2018-04-28 6:40 ` Harsh Shandilya
2018-04-27 18:12 ` Shuah Khan
2018-04-28 5:02 ` Greg Kroah-Hartman
2018-04-27 19:03 ` kernelci.org bot
2018-04-27 19:41 ` Theodore Y. Ts'o
2018-04-28 4:35 ` Greg Kroah-Hartman
2018-04-27 21:33 ` Harsh Shandilya
2018-04-28 5:02 ` Greg Kroah-Hartman
2018-04-28 14:24 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180427135632.373548822@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=ycheng@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.