Commit 964bc277 authored May 28, 2024 by Eric Dumazet Committed by Ziyang Xuan May 28, 2024

mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()

mainline inclusion
from mainline-v6.8-rc1
commit be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q9D1
CVE: CVE-2024-35840

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb



--------------------------------

subflow_finish_connect() uses four fields (backup, join_id, thmac, none)
that may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set
in mptcp_parse_option()

Fixes: f296234c ("mptcp: Add handling of incoming MP_JOIN requests")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Peter Krystad <peter.krystad@linux.intel.com>
Cc: Matthieu Baerts <matttbe@kernel.org>
Cc: Mat Martineau <martineau@kernel.org>
Cc: Geliang Tang <geliang.tang@linux.dev>
Reviewed-by: Simon Horman <horms@kernel.org>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Link: https://lore.kernel.org/r/20240111194917.4044654-4-edumazet@google.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Conflicts:
	net/mptcp/options.c
	net/mptcp/protocol.h
	net/mptcp/subflow.c
[The introduction of suboptions is from commit 74c7dfbe, and
OPTION_MPTCP_MPJ_SYNACK assignment of suboptions is from commit 89e23277f9c1.
Just focus on OPTION_MPTCP_MPJ_SYNACK related logic.]
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>

parent f300accf

net/mptcp/options.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -113,6 +113,7 @@ static void mptcp_parse_option(const struct sk_buff *skb,
		mp_opt->backup, mp_opt->join_id,
		mp_opt->token, mp_opt->nonce);
		} else if (opsize == TCPOLEN_MPTCP_MPJ_SYNACK) {
		mp_opt->suboptions \|= OPTION_MPTCP_MPJ_SYNACK;
		mp_opt->backup = *ptr++ & MPTCPOPT_BACKUP;
		mp_opt->join_id = *ptr++;
		mp_opt->thmac = get_unaligned_be64(ptr);
		@@ -299,6 +300,7 @@ void mptcp_get_options(const struct sk_buff *skb,
		mp_opt->port = 0;
		mp_opt->rm_addr = 0;
		mp_opt->dss = 0;
		mp_opt->suboptions = 0;

		length = (th->doff * 4) - sizeof(struct tcphdr);
		ptr = (const unsigned char *)(th + 1);

net/mptcp/protocol.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -107,6 +107,7 @@ struct mptcp_options_received {
		family : 4,
		echo : 1,
		backup : 1;
		u16 suboptions;
		u32 token;
		u32 nonce;
		u64 thmac;

net/mptcp/subflow.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -323,7 +323,7 @@ static void subflow_finish_connect(struct sock sk, const struct sk_buff skb)
		} else if (subflow->request_join) {
		u8 hmac[SHA256_DIGEST_SIZE];

		if (!mp_opt.mp_join)
		if (!(mp_opt.suboptions & OPTION_MPTCP_MPJ_SYNACK))
		goto do_reset;

		subflow->thmac = mp_opt.thmac;
		@@ -542,6 +542,7 @@ static struct sock subflow_syn_recv_sock(const struct sock sk,
		* are not parsed
		*/
		mp_opt.mp_capable = 0;
		mp_opt.suboptions = 0;

		/* hopefully temporary handling for MP_JOIN+syncookie */
		subflow_req = mptcp_subflow_rsk(req);