Unverified Commit dae62c1b authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!12096 CVE-2024-46858 

Merge Pull Request from: @ci-robot 
 
PR sync from: Wang Liang <wangliang74@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/4WFIK2XDJLQN5PFBNOIBGXJNEJRXWYIP/ 
Davide Caratti (1):
  mptcp: validate 'id' when stopping the ADD_ADDR retransmit timer

Edward Adam Davis (1):
  mptcp: pm: Fix uaf in __timer_delete_sync

Geliang Tang (1):
  mptcp: export lookup_anno_list_by_saddr


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/IAU9JW 
 
Link:https://gitee.com/openeuler/kernel/pulls/12096

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
parents f97dbea2 ac2794e0

net/mptcp/options.c

+1 −1
Original line number Diff line number Diff line
@@ -917,7 +917,7 @@ void mptcp_incoming_options(struct sock *sk, struct sk_buff *skb) 
			mptcp_pm_add_addr_received(msk, &addr);

			MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_ADDADDR);

		} else {

			mptcp_pm_del_add_timer(msk, &addr);

			mptcp_pm_del_add_timer(msk, &addr, true);

			MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_ECHOADD);

		}

		mp_opt.add_addr = 0;

net/mptcp/pm_netlink.c

+16 −11
Original line number Diff line number Diff line
@@ -195,8 +195,8 @@ static void check_work_pending(struct mptcp_sock *msk) 
		WRITE_ONCE(msk->pm.work_pending, false);

}



static struct mptcp_pm_add_entry *

lookup_anno_list_by_saddr(struct mptcp_sock *msk,

struct mptcp_pm_add_entry *

mptcp_lookup_anno_list_by_saddr(struct mptcp_sock *msk,

				struct mptcp_addr_info *addr)

{

	struct mptcp_pm_add_entry *entry;
@@ -250,19 +250,25 @@ static void mptcp_pm_add_timer(struct timer_list *timer) 


struct mptcp_pm_add_entry *

mptcp_pm_del_add_timer(struct mptcp_sock *msk,

		       struct mptcp_addr_info *addr)

		       struct mptcp_addr_info *addr, bool check_id)

{

	struct mptcp_pm_add_entry *entry;

	struct sock *sk = (struct sock *)msk;

	struct timer_list *add_timer = NULL;



	spin_lock_bh(&msk->pm.lock);

	entry = lookup_anno_list_by_saddr(msk, addr);

	if (entry)

	entry = mptcp_lookup_anno_list_by_saddr(msk, addr);

	if (entry && (!check_id || entry->addr.id == addr->id)) {

		entry->retrans_times = ADD_ADDR_RETRANS_MAX;

		add_timer = &entry->add_timer;

	}

	if (!check_id && entry)

		list_del(&entry->list);

	spin_unlock_bh(&msk->pm.lock);



	if (entry)

		sk_stop_timer_sync(sk, &entry->add_timer);

	/* no lock, because sk_stop_timer_sync() is calling del_timer_sync() */

	if (add_timer)

		sk_stop_timer_sync(sk, add_timer);



	return entry;

}
@@ -273,7 +279,7 @@ static bool mptcp_pm_alloc_anno_list(struct mptcp_sock *msk, 
	struct mptcp_pm_add_entry *add_entry = NULL;

	struct sock *sk = (struct sock *)msk;



	if (lookup_anno_list_by_saddr(msk, &entry->addr))

	if (mptcp_lookup_anno_list_by_saddr(msk, &entry->addr))

		return false;



	add_entry = kmalloc(sizeof(*add_entry), GFP_ATOMIC);
@@ -742,9 +748,8 @@ static bool remove_anno_list_by_saddr(struct mptcp_sock *msk, 
{

	struct mptcp_pm_add_entry *entry;



	entry = mptcp_pm_del_add_timer(msk, addr);

	entry = mptcp_pm_del_add_timer(msk, addr, false);

	if (entry) {

		list_del(&entry->list);

		kfree(entry);

		return true;

	}

net/mptcp/protocol.h

+4 −1
Original line number Diff line number Diff line
@@ -449,6 +449,9 @@ void mptcp_pm_rm_addr_received(struct mptcp_sock *msk, u8 rm_id); 
void mptcp_pm_free_anno_list(struct mptcp_sock *msk);

struct mptcp_pm_add_entry *

mptcp_pm_del_add_timer(struct mptcp_sock *msk,

		       struct mptcp_addr_info *addr, bool check_id);

struct mptcp_pm_add_entry *

mptcp_lookup_anno_list_by_saddr(struct mptcp_sock *msk,

				struct mptcp_addr_info *addr);



int mptcp_pm_announce_addr(struct mptcp_sock *msk,