[PATCH OLK-5.10] mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()

From: Eric Dumazet edumazet@google.com

mainline inclusion from mainline-v6.8-rc1 commit be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q9D1 CVE: CVE-2024-35840

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...

--------------------------------

subflow_finish_connect() uses four fields (backup, join_id, thmac, none) that may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set in mptcp_parse_option()

Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests") Signed-off-by: Eric Dumazet edumazet@google.com Cc: Florian Westphal fw@strlen.de Cc: Peter Krystad peter.krystad@linux.intel.com Cc: Matthieu Baerts matttbe@kernel.org Cc: Mat Martineau martineau@kernel.org Cc: Geliang Tang geliang.tang@linux.dev Reviewed-by: Simon Horman horms@kernel.org Acked-by: Paolo Abeni pabeni@redhat.com Reviewed-by: Mat Martineau martineau@kernel.org Link: https://lore.kernel.org/r/20240111194917.4044654-4-edumazet@google.com Signed-off-by: Jakub Kicinski kuba@kernel.org Conflicts: net/mptcp/options.c net/mptcp/protocol.h net/mptcp/subflow.c [The introduction of suboptions is from commit 74c7dfbee3e1, and OPTION_MPTCP_MPJ_SYNACK assignment of suboptions is from commit 89e23277f9c1. Just focus on OPTION_MPTCP_MPJ_SYNACK related logic.] Signed-off-by: Ziyang Xuan william.xuanziyang@huawei.com --- net/mptcp/options.c | 2 ++ net/mptcp/protocol.h | 1 + net/mptcp/subflow.c | 3 ++- 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/mptcp/options.c b/net/mptcp/options.c index 2cc80a07ff23..501011bec8b8 100644 --- a/net/mptcp/options.c +++ b/net/mptcp/options.c @@ -113,6 +113,7 @@ static void mptcp_parse_option(const struct sk_buff *skb, mp_opt->backup, mp_opt->join_id, mp_opt->token, mp_opt->nonce); } else if (opsize == TCPOLEN_MPTCP_MPJ_SYNACK) { + mp_opt->suboptions |= OPTION_MPTCP_MPJ_SYNACK; mp_opt->backup = *ptr++ & MPTCPOPT_BACKUP; mp_opt->join_id = *ptr++; mp_opt->thmac = get_unaligned_be64(ptr); @@ -299,6 +300,7 @@ void mptcp_get_options(const struct sk_buff *skb, mp_opt->port = 0; mp_opt->rm_addr = 0; mp_opt->dss = 0; + mp_opt->suboptions = 0;

length = (th->doff * 4) - sizeof(struct tcphdr); ptr = (const unsigned char *)(th + 1); diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h index 3e5af8397434..9f8fb7b1f4fa 100644 --- a/net/mptcp/protocol.h +++ b/net/mptcp/protocol.h @@ -107,6 +107,7 @@ struct mptcp_options_received { family : 4, echo : 1, backup : 1; + u16 suboptions; u32 token; u32 nonce; u64 thmac; diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index 9d2e73db4c27..1b73230c0262 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -323,7 +323,7 @@ static void subflow_finish_connect(struct sock *sk, const struct sk_buff *skb) } else if (subflow->request_join) { u8 hmac[SHA256_DIGEST_SIZE];

- if (!mp_opt.mp_join) + if (!(mp_opt.suboptions & OPTION_MPTCP_MPJ_SYNACK)) goto do_reset;

subflow->thmac = mp_opt.thmac; @@ -542,6 +542,7 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, * are not parsed */ mp_opt.mp_capable = 0; + mp_opt.suboptions = 0;

/* hopefully temporary handling for MP_JOIN+syncookie */ subflow_req = mptcp_subflow_rsk(req);