From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Yuchung Cheng <ycheng@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 44/50] tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets
Date: Fri, 27 Apr 2018 15:58:46 +0200 [thread overview]
Message-ID: <20180427135658.275018343@linuxfoundation.org> (raw)
In-Reply-To: <20180427135655.623669681@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 7212303268918b9a203aebeacfdbd83b5e87b20d ]
syzbot/KMSAN reported an uninit-value in tcp_parse_options() [1]
I believe this was caused by a TCP_MD5SIG being set on live
flow.
This is highly unexpected, since TCP option space is limited.
For instance, presence of TCP MD5 option automatically disables
TCP TimeStamp option at SYN/SYNACK time, which we can not do
once flow has been established.
Really, adding/deleting an MD5 key only makes sense on sockets
in CLOSE or LISTEN state.
[1]
BUG: KMSAN: uninit-value in tcp_parse_options+0xd74/0x1a30 net/ipv4/tcp_input.c:3720
CPU: 1 PID: 6177 Comm: syzkaller192004 Not tainted 4.16.0+ #83
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:53
kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
__msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
tcp_parse_options+0xd74/0x1a30 net/ipv4/tcp_input.c:3720
tcp_fast_parse_options net/ipv4/tcp_input.c:3858 [inline]
tcp_validate_incoming+0x4f1/0x2790 net/ipv4/tcp_input.c:5184
tcp_rcv_established+0xf60/0x2bb0 net/ipv4/tcp_input.c:5453
tcp_v4_do_rcv+0x6cd/0xd90 net/ipv4/tcp_ipv4.c:1469
sk_backlog_rcv include/net/sock.h:908 [inline]
__release_sock+0x2d6/0x680 net/core/sock.c:2271
release_sock+0x97/0x2a0 net/core/sock.c:2786
tcp_sendmsg+0xd6/0x100 net/ipv4/tcp.c:1464
inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg net/socket.c:640 [inline]
SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747
SyS_sendto+0x8a/0xb0 net/socket.c:1715
do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x448fe9
RSP: 002b:00007fd472c64d38 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00000000006e5a30 RCX: 0000000000448fe9
RDX: 000000000000029f RSI: 0000000020a88f88 RDI: 0000000000000004
RBP: 00000000006e5a34 R08: 0000000020e68000 R09: 0000000000000010
R10: 00000000200007fd R11: 0000000000000216 R12: 0000000000000000
R13: 00007fff074899ef R14: 00007fd472c659c0 R15: 0000000000000009
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
slab_post_alloc_hook mm/slab.h:445 [inline]
slab_alloc_node mm/slub.c:2737 [inline]
__kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
__kmalloc_reserve net/core/skbuff.c:138 [inline]
__alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
alloc_skb include/linux/skbuff.h:984 [inline]
tcp_send_ack+0x18c/0x910 net/ipv4/tcp_output.c:3624
__tcp_ack_snd_check net/ipv4/tcp_input.c:5040 [inline]
tcp_ack_snd_check net/ipv4/tcp_input.c:5053 [inline]
tcp_rcv_established+0x2103/0x2bb0 net/ipv4/tcp_input.c:5469
tcp_v4_do_rcv+0x6cd/0xd90 net/ipv4/tcp_ipv4.c:1469
sk_backlog_rcv include/net/sock.h:908 [inline]
__release_sock+0x2d6/0x680 net/core/sock.c:2271
release_sock+0x97/0x2a0 net/core/sock.c:2786
tcp_sendmsg+0xd6/0x100 net/ipv4/tcp.c:1464
inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg net/socket.c:640 [inline]
SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747
SyS_sendto+0x8a/0xb0 net/socket.c:1715
do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2589,8 +2589,10 @@ static int do_tcp_setsockopt(struct sock
#ifdef CONFIG_TCP_MD5SIG
case TCP_MD5SIG:
- /* Read the IP->Key mappings from userspace */
- err = tp->af_specific->md5_parse(sk, optval, optlen);
+ if ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))
+ err = tp->af_specific->md5_parse(sk, optval, optlen);
+ else
+ err = -EINVAL;
break;
#endif
case TCP_USER_TIMEOUT:
next prev parent reply other threads:[~2018-04-27 13:58 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-27 13:58 [PATCH 4.4 00/50] 4.4.130-stable review Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 01/50] cifs: do not allow creating sockets except with SMB1 posix exensions Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 02/50] x86/tsc: Prevent 32bit truncation in calc_hpet_ref() Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 03/50] perf: Return proper values for user stack errors Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 04/50] staging: ion : Donnot wakeup kswapd in ion system alloc Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 05/50] r8152: add Linksys USB3GIGV1 id Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 06/50] Input: drv260x - fix initializing overdrive voltage Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 07/50] ath9k_hw: check if the chip failed to wake up Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 08/50] jbd2: fix use after free in kjournald2() Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 09/50] Revert "ath10k: send (re)assoc peer command when NSS changed" Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 10/50] s390: introduce CPU alternatives Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 11/50] s390: enable CPU alternatives unconditionally Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 12/50] KVM: s390: wire up bpb feature Greg Kroah-Hartman
2018-04-27 15:10 ` Christian Borntraeger
2018-04-27 15:17 ` Greg Kroah-Hartman
2018-04-27 15:46 ` Greg Kroah-Hartman
2018-04-27 15:53 ` Christian Borntraeger
2018-04-29 7:51 ` Martin Schwidefsky
2018-04-30 18:17 ` Greg Kroah-Hartman
2018-04-30 18:30 ` Christian Borntraeger
2018-04-27 16:23 ` [fixed Patch] " Christian Borntraeger
2018-04-28 5:53 ` Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 13/50] s390: scrub registers on kernel entry and KVM exit Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 14/50] s390: add optimized array_index_mask_nospec Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 15/50] s390/alternative: use a copy of the facility bit mask Greg Kroah-Hartman
2018-05-04 7:37 ` Jiri Slaby
2018-05-04 7:41 ` Jiri Slaby
2018-05-04 22:18 ` Greg Kroah-Hartman
2018-05-07 6:07 ` Martin Schwidefsky
2018-05-08 7:20 ` Greg Kroah-Hartman
2018-05-12 19:44 ` Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 16/50] s390: add options to change branch prediction behaviour for the kernel Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 17/50] s390: run user space and KVM guests with modified branch prediction Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 18/50] s390: introduce execute-trampolines for branches Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 19/50] s390: Replace IS_ENABLED(EXPOLINE_*) with IS_ENABLED(CONFIG_EXPOLINE_*) Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 20/50] s390: do not bypass BPENTER for interrupt system calls Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 21/50] s390/entry.S: fix spurious zeroing of r0 Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 22/50] s390: move nobp parameter functions to nospec-branch.c Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 23/50] s390: add automatic detection of the spectre defense Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 24/50] s390: report spectre mitigation via syslog Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 25/50] s390: add sysfs attributes for spectre Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 26/50] s390: correct nospec auto detection init order Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 27/50] s390: correct module section names for expoline code revert Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 28/50] bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 29/50] KEYS: DNS: limit the length of option strings Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 30/50] l2tp: check sockaddr length in pppol2tp_connect() Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 31/50] net: validate attribute sizes in neigh_dump_table() Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 32/50] llc: delete timers synchronously in llc_sk_free() Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 33/50] tcp: dont read out-of-bounds opsize Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 34/50] team: avoid adding twice the same option to the event list Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 35/50] team: fix netconsole setup over team Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 36/50] packet: fix bitfield update race Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 37/50] pppoe: check sockaddr length in pppoe_connect() Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 38/50] vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 39/50] sctp: do not check port in sctp_inet6_cmp_addr Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 40/50] llc: hold llc_sap before release_sock() Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 41/50] llc: fix NULL pointer deref for SOCK_ZAPPED Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 42/50] tipc: add policy for TIPC_NLA_NET_ADDR Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 43/50] net: fix deadlock while clearing neighbor proxy table Greg Kroah-Hartman
2018-04-27 13:58 ` Greg Kroah-Hartman [this message]
2018-04-27 13:58 ` [PATCH 4.4 45/50] net: af_packet: fix race in PACKET_{R|T}X_RING Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 46/50] ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 47/50] scsi: mptsas: Disable WRITE SAME Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 48/50] cdrom: information leak in cdrom_ioctl_media_changed() Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 49/50] s390/cio: update chpid descriptor after resource accessibility event Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.4 50/50] s390/uprobes: implement arch_uretprobe_is_alive() Greg Kroah-Hartman
2018-04-27 18:15 ` [PATCH 4.4 00/50] 4.4.130-stable review Shuah Khan
2018-04-27 18:57 ` Nathan Chancellor
2018-04-27 19:43 ` kernelci.org bot
2018-04-27 20:31 ` Dan Rue
2018-04-28 14:25 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180427135658.275018343@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=ycheng@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.