WSL2-Linux-Kernel/net/mptcp
Florian Westphal b0519de8b3 mptcp: fix use-after-free for ipv6
Turns out that when we accept a new subflow, the newly created
inet_sk(tcp_sk)->pinet6 points at the ipv6_pinfo structure of the
listener socket.

This wasn't caught by the selftest because it closes the accepted fd
before the listening one.

adding a close(listenfd) after accept returns is enough:
 BUG: KASAN: use-after-free in inet6_getname+0x6ba/0x790
 Read of size 1 at addr ffff88810e310866 by task mptcp_connect/2518
 Call Trace:
  inet6_getname+0x6ba/0x790
  __sys_getpeername+0x10b/0x250
  __x64_sys_getpeername+0x6f/0xb0

also alter test program to exercise this.

Reported-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-02-06 11:25:09 +01:00
..
Kconfig mptcp: MPTCP_HMAC_TEST should depend on MPTCP 2020-01-30 09:55:37 +01:00
Makefile mptcp: new sysctl to control the activation per NS 2020-01-24 13:44:08 +01:00
crypto.c mptcp: move from sha1 (v0) to sha256 (v1) 2020-01-24 13:44:08 +01:00
ctrl.c mptcp: new sysctl to control the activation per NS 2020-01-24 13:44:08 +01:00
options.c mptcp: process MP_CAPABLE data option 2020-01-24 13:44:08 +01:00
protocol.c mptcp: fix use-after-free for ipv6 2020-02-06 11:25:09 +01:00
protocol.h mptcp: cope with later TCP fallback 2020-01-24 13:44:08 +01:00
subflow.c mptcp: Fix undefined mptcp_handle_ipv6_mapped for modular IPV6 2020-01-30 10:55:54 +01:00
token.c mptcp: Add key generation and token tree 2020-01-24 13:44:07 +01:00