kernel_samsung_a53x/net
Matthieu Baerts (NGI0) 01052d8485 mptcp: pm: avoid possible UaF when selecting endp
commit 48e50dcbcbaaf713d82bf2da5c16aeced94ad07d upstream.

select_local_address() and select_signal_address() both select an
endpoint entry from the list inside an RCU protected section, but return
a reference to it, to be read later on. If the entry is dereferenced
after the RCU unlock, reading info could cause a Use-after-Free.

A simple solution is to copy the required info while inside the RCU
protected section to avoid any risk of UaF later. The address ID might
need to be modified later to handle the ID0 case later, so a copy seems
OK to deal with.

Reported-by: Paolo Abeni <pabeni@redhat.com>
Closes: https://lore.kernel.org/45cd30d3-7710-491c-ae4d-a1368c00beb1@redhat.com
Fixes: 01cacb00b35c ("mptcp: add netlink-based PM")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-14-38035d40de5b@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Conflicts in pm_netlink.c, because quite a bit of new code has been
  added around since commit 86e39e04482b ("mptcp: keep track of local
  endpoint still available for each msk"), and commit 2843ff6f36db
  ("mptcp: remote addresses fullmesh"). But the issue is still there.
  The conflicts have been resolved using the same way: by adding a new
  parameter to select_local_address() and select_signal_address(), and
  use it instead of the pointer they were previously returning. The code
  is simpler in this version, this conflict resolution looks safe. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-01-19 14:48:42 +01:00
..
6lowpan
9p 9p/xen: fix release of IRQ 2024-12-17 13:24:22 +01:00
802
8021q gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers 2025-01-19 00:10:01 +01:00
appletalk
atm
ax25 Revert "Make more sysctl constants read-only" 2024-12-03 19:56:17 +01:00
batman-adv batman-adv: Do not let TT changes list grows indefinitely 2025-01-02 17:00:49 +01:00
bluetooth Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() 2024-12-17 13:24:30 +01:00
bpf
bpfilter
bridge net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN 2025-01-19 00:10:01 +01:00
caif
can can: bcm: Remove proc entry when dev is unregistered. 2025-01-19 00:10:01 +01:00
ceph libceph: fix race between delayed_work() and ceph_monc_stop() 2024-11-19 14:19:45 +01:00
core Revert "skb_expand_head() adjust skb->truesize incorrectly" 2025-01-15 16:38:33 +01:00
dcb
dccp dccp: Fix memory leak in dccp_feat_change_recv 2024-12-17 13:24:26 +01:00
decnet
dns_resolver
dsa
ethernet gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers 2025-01-19 00:10:01 +01:00
ethtool ethtool: Fix wrong mod state in case of verbose and no_mask bitset 2024-12-17 13:24:27 +01:00
hsr net: hsr: avoid potential out-of-bound access in fill_frame_info() 2024-12-17 13:24:26 +01:00
ieee802154 net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() 2024-12-17 13:24:30 +01:00
ife
ipv4 tcp_bpf: fix return value of tcp_bpf_sendmsg() 2025-01-19 00:10:01 +01:00
ipv6 gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers 2025-01-19 00:10:01 +01:00
iucv Revert "net/iucv: fix use after free in iucv_sock_close()" 2024-11-24 00:23:55 +01:00
kcm kcm: Serialise kcm_sendmsg() for the same socket. 2024-11-23 23:20:48 +01:00
key
l2tp genetlink: hold RCU in genlmsg_mcast() 2024-11-23 23:21:59 +01:00
l3mdev net: Add l3mdev index to flow struct and avoid oif reset for port devices 2024-11-23 23:21:52 +01:00
lapb
llc net: llc: reset skb->transport_header 2025-01-15 16:29:53 +01:00
mac80211 wifi: mac80211: wake the queues in case of failure in resume 2025-01-15 16:29:54 +01:00
mac802154 Revert "net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD()" 2024-11-19 14:52:14 +01:00
mpls
mptcp mptcp: pm: avoid possible UaF when selecting endp 2025-01-19 14:48:42 +01:00
ncm
ncsi net/ncsi: Fix the multi thread manner of NCSI driver 2024-11-19 14:19:00 +01:00
netfilter netfilter: ipset: Fix for recursive locking warning 2025-01-15 16:29:41 +01:00
netlabel
netlink netlink: terminate outstanding dump on socket close 2024-12-17 13:20:50 +01:00
netrom netrom: check buffer length before accessing it 2025-01-15 16:29:53 +01:00
nfc nfc: nci: Fix handling of zero-length payload packets in nci_rx_work() 2024-11-19 12:27:10 +01:00
nsh
openvswitch openvswitch: Set the skbuff pkt_type for proper pmtud support. 2024-11-19 12:27:09 +01:00
packet af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK 2025-01-15 16:29:54 +01:00
phonet Revert "Make more sysctl constants read-only" 2024-12-03 19:56:17 +01:00
psample
qrtr Revert "net: qrtr: Update packets cloning when broadcasting" 2024-11-24 00:23:18 +01:00
rds Revert "net:rds: Fix possible deadlock in rds_message_put" 2024-11-24 00:23:49 +01:00
rfkill net: rfkill: gpio: Add check for clk_enable() 2024-12-17 13:24:07 +01:00
rose Revert "Make more sysctl constants read-only" 2024-12-03 19:56:17 +01:00
rxrpc
sched BACKPORT: netem: fix return value if duplicate enqueue fails 2025-01-19 00:09:58 +01:00
sctp net/sctp: Prevent autoclose integer overflow in sctp_association_init() 2025-01-15 16:29:56 +01:00
skb_tracer
smc net/smc: check return value of sock_recvmsg when draining clc data 2025-01-15 16:29:41 +01:00
strparser
sunrpc sunrpc: pass in the sv_stats struct through svc_create_pooled 2025-01-19 14:48:42 +01:00
switchdev
tipc tipc: fix NULL deref in cleanup_bearer() 2025-01-02 17:00:49 +01:00
tls tls: fix missing memory barrier in tls_init 2024-11-19 12:27:09 +01:00
unix Revert "af_unix: Remove put_pid()/put_cred() in copy_peercred()." 2024-11-24 00:23:43 +01:00
vmw_vsock virtio/vsock: Fix accept_queue memory leak 2025-01-02 17:00:49 +01:00
wimax
wireless Revert "wifi: nl80211: don't give key data to userspace" 2024-11-24 00:23:55 +01:00
x25 Revert "Make more sysctl constants read-only" 2024-12-03 19:56:17 +01:00
xdp
xfrm xfrm: store and rely on direction to construct offload flags 2024-12-17 13:24:04 +01:00
compat.c
devres.c
Kconfig
Makefile
socket.c
sysctl_net.c
TEST_MAPPING