kernel_samsung_a53x/net
Matthieu Baerts (NGI0) 01052d8485 mptcp: pm: avoid possible UaF when selecting endp
commit 48e50dcbcbaaf713d82bf2da5c16aeced94ad07d upstream.

select_local_address() and select_signal_address() both select an
endpoint entry from the list inside an RCU protected section, but return
a reference to it, to be read later on. If the entry is dereferenced
after the RCU unlock, reading info could cause a Use-after-Free.

A simple solution is to copy the required info while inside the RCU
protected section to avoid any risk of UaF later. The address ID might
need to be modified later to handle the ID0 case later, so a copy seems
OK to deal with.

Reported-by: Paolo Abeni <pabeni@redhat.com>
Closes: https://lore.kernel.org/45cd30d3-7710-491c-ae4d-a1368c00beb1@redhat.com
Fixes: 01cacb00b35c ("mptcp: add netlink-based PM")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-14-38035d40de5b@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Conflicts in pm_netlink.c, because quite a bit of new code has been
  added around since commit 86e39e04482b ("mptcp: keep track of local
  endpoint still available for each msk"), and commit 2843ff6f36db
  ("mptcp: remote addresses fullmesh"). But the issue is still there.
  The conflicts have been resolved using the same way: by adding a new
  parameter to select_local_address() and select_signal_address(), and
  use it instead of the pointer they were previously returning. The code
  is simpler in this version, this conflict resolution looks safe. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-01-19 14:48:42 +01:00
..
6lowpan Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
9p 9p/xen: fix release of IRQ 2024-12-17 13:24:22 +01:00
802 Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
8021q gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers 2025-01-19 00:10:01 +01:00
appletalk appletalk: Fix Use-After-Free in atalk_ioctl 2024-11-18 12:11:49 +01:00
atm atm: Fix Use-After-Free in do_vcc_ioctl 2024-11-18 12:11:49 +01:00
ax25 Revert "Make more sysctl constants read-only" 2024-12-03 19:56:17 +01:00
batman-adv batman-adv: Do not let TT changes list grows indefinitely 2025-01-02 17:00:49 +01:00
bluetooth Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() 2024-12-17 13:24:30 +01:00
bpf Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
bpfilter Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
bridge net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN 2025-01-19 00:10:01 +01:00
caif Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
can can: bcm: Remove proc entry when dev is unregistered. 2025-01-19 00:10:01 +01:00
ceph libceph: fix race between delayed_work() and ceph_monc_stop() 2024-11-19 14:19:45 +01:00
core Revert "skb_expand_head() adjust skb->truesize incorrectly" 2025-01-15 16:38:33 +01:00
dcb Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
dccp dccp: Fix memory leak in dccp_feat_change_recv 2024-12-17 13:24:26 +01:00
decnet Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
dns_resolver keys, dns: Fix size check of V1 server-list header 2024-11-18 12:12:43 +01:00
dsa Backport mac80211 patches from linux-6.1.y 2024-06-15 16:29:20 -03:00
ethernet gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers 2025-01-19 00:10:01 +01:00
ethtool ethtool: Fix wrong mod state in case of verbose and no_mask bitset 2024-12-17 13:24:27 +01:00
hsr net: hsr: avoid potential out-of-bound access in fill_frame_info() 2024-12-17 13:24:26 +01:00
ieee802154 net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() 2024-12-17 13:24:30 +01:00
ife net: sched: ife: fix potential use-after-free 2024-11-18 12:11:59 +01:00
ipv4 tcp_bpf: fix return value of tcp_bpf_sendmsg() 2025-01-19 00:10:01 +01:00
ipv6 gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers 2025-01-19 00:10:01 +01:00
iucv Revert "net/iucv: fix use after free in iucv_sock_close()" 2024-11-24 00:23:55 +01:00
kcm kcm: Serialise kcm_sendmsg() for the same socket. 2024-11-23 23:20:48 +01:00
key Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
l2tp genetlink: hold RCU in genlmsg_mcast() 2024-11-23 23:21:59 +01:00
l3mdev net: Add l3mdev index to flow struct and avoid oif reset for port devices 2024-11-23 23:21:52 +01:00
lapb Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
llc net: llc: reset skb->transport_header 2025-01-15 16:29:53 +01:00
mac80211 wifi: mac80211: wake the queues in case of failure in resume 2025-01-15 16:29:54 +01:00
mac802154 Revert "net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD()" 2024-11-19 14:52:14 +01:00
mpls Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
mptcp mptcp: pm: avoid possible UaF when selecting endp 2025-01-19 14:48:42 +01:00
ncm Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ncsi net/ncsi: Fix the multi thread manner of NCSI driver 2024-11-19 14:19:00 +01:00
netfilter netfilter: ipset: Fix for recursive locking warning 2025-01-15 16:29:41 +01:00
netlabel calipso: fix memory leak in netlbl_calipso_add_pass() 2024-11-18 12:12:25 +01:00
netlink netlink: terminate outstanding dump on socket close 2024-12-17 13:20:50 +01:00
netrom netrom: check buffer length before accessing it 2025-01-15 16:29:53 +01:00
nfc nfc: nci: Fix handling of zero-length payload packets in nci_rx_work() 2024-11-19 12:27:10 +01:00
nsh nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). 2024-11-19 11:32:42 +01:00
openvswitch openvswitch: Set the skbuff pkt_type for proper pmtud support. 2024-11-19 12:27:09 +01:00
packet af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK 2025-01-15 16:29:54 +01:00
phonet Revert "Make more sysctl constants read-only" 2024-12-03 19:56:17 +01:00
psample psample: Require 'CAP_NET_ADMIN' when joining "packets" group 2024-11-18 12:11:46 +01:00
qrtr Revert "net: qrtr: Update packets cloning when broadcasting" 2024-11-24 00:23:18 +01:00
rds Revert "net:rds: Fix possible deadlock in rds_message_put" 2024-11-24 00:23:49 +01:00
rfkill net: rfkill: gpio: Add check for clk_enable() 2024-12-17 13:24:07 +01:00
rose Revert "Make more sysctl constants read-only" 2024-12-03 19:56:17 +01:00
rxrpc rxrpc: Fix response to PING RESPONSE ACKs to a dead call 2024-11-18 12:13:25 +01:00
sched BACKPORT: netem: fix return value if duplicate enqueue fails 2025-01-19 00:09:58 +01:00
sctp net/sctp: Prevent autoclose integer overflow in sctp_association_init() 2025-01-15 16:29:56 +01:00
skb_tracer Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
smc net/smc: check return value of sock_recvmsg when draining clc data 2025-01-15 16:29:41 +01:00
strparser Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
sunrpc sunrpc: pass in the sv_stats struct through svc_create_pooled 2025-01-19 14:48:42 +01:00
switchdev Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
tipc tipc: fix NULL deref in cleanup_bearer() 2025-01-02 17:00:49 +01:00
tls tls: fix missing memory barrier in tls_init 2024-11-19 12:27:09 +01:00
unix Revert "af_unix: Remove put_pid()/put_cred() in copy_peercred()." 2024-11-24 00:23:43 +01:00
vmw_vsock virtio/vsock: Fix accept_queue memory leak 2025-01-02 17:00:49 +01:00
wimax Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
wireless Revert "wifi: nl80211: don't give key data to userspace" 2024-11-24 00:23:55 +01:00
x25 Revert "Make more sysctl constants read-only" 2024-12-03 19:56:17 +01:00
xdp xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING 2024-11-19 11:32:19 +01:00
xfrm xfrm: store and rely on direction to construct offload flags 2024-12-17 13:24:04 +01:00
compat.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
devres.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
Kconfig Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
Makefile Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
socket.c net: Save and restore msg_namelen in sock_sendmsg 2024-11-18 12:12:07 +01:00
sysctl_net.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
TEST_MAPPING Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00