Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2381057pxb; Mon, 20 Sep 2021 20:50:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJybSAmMaOlJzQHUDPSH4+L0PLflWALEPwWEFgP2Khc9sp/PkkaK8esRnEaKDKJN5LwKU/e9 X-Received: by 2002:a50:d901:: with SMTP id t1mr1735219edj.79.1632196222209; Mon, 20 Sep 2021 20:50:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632196222; cv=none; d=google.com; s=arc-20160816; b=h+RVfDQHIsOzx5fPzRiKHDoC7DyQc80rWlotzfaAz2wCf7Y5M/XbwaaLxhGyLD7Cw2 t1xhIfEa0o0gToHf5r4xlunSTuI439FF08l/rnp9kQZn9MJzMZyNGObXrXoU2vuPhn8h Hy5kD6p4CLl9xXdk8VnIgq+fe+OrHM13F/ZDl3C41uMqP4YrU5f6m0jAg/CqX4ZdPjn2 aiJy3vQv6LQFy0Gz8yBBTohEWbVytXQdKaT+FA+6AFYTOgWdYC1RxGyzuKaYABtg5ypx 46F2YodIGmcQyDi3k+hDxeyNzd0tkxmFtGyUyWZzgzr5GZtBjh5oZCypwC6TiC6hcHkx Rb7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:references:message-id:in-reply-to :subject:cc:to:from:date; bh=nuhRb5M9dQCHXqjbORkT/zeiWwNU4zA2wcg2RZDVs5E=; b=0ugihX+nHKHE6SmimqRVBPZstSNzgxy0CkuOzDxnd0yA/9yGYI/E/EqlvZyrkUCn/Q acoDT/TG+cs++nJM+m8iTCFQozi3vvLKwBVwhKPZ0O5sT7ECF9f9rq41sd/O60KdKpqP 3968hj62aHrtXGRNDS0NwuqzfJCkEADetBdWX9q+u04GP/cb44DnBgZEGzkYPM7zj+A/ ef8rrpe3/nXmHSorioAZpTDPtFQDuf0CSG697F1xpTAQAByd0o43LHNdXTHhmqo0nO04 vdWedlv+7JW3x9IvAEF8eFVvC2/TAOR3CLFW5xMiKrdf+f73L0lWa6ldFYq5E8Rde+j9 Yy8A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l24si18100124edw.288.2021.09.20.20.49.58; Mon, 20 Sep 2021 20:50:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233212AbhIUAIr (ORCPT + 99 others); Mon, 20 Sep 2021 20:08:47 -0400 Received: from mga11.intel.com ([192.55.52.93]:9186 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233475AbhIUAGr (ORCPT ); Mon, 20 Sep 2021 20:06:47 -0400 X-IronPort-AV: E=McAfee;i="6200,9189,10113"; a="220064862" X-IronPort-AV: E=Sophos;i="5.85,309,1624345200"; d="scan'208";a="220064862" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Sep 2021 17:05:19 -0700 X-IronPort-AV: E=Sophos;i="5.85,309,1624345200"; d="scan'208";a="473985725" Received: from nkhakpas-mobl.amr.corp.intel.com ([10.212.134.160]) by orsmga007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Sep 2021 17:05:19 -0700 Date: Mon, 20 Sep 2021 17:05:19 -0700 (PDT) From: Mat Martineau To: Tim Gardner cc: mptcp@lists.linux.dev, Matthieu Baerts , "David S. Miller" , Jakub Kicinski , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH][next] mptcp: Avoid NULL dereference in mptcp_getsockopt_subflow_addrs() In-Reply-To: <20210920154232.15494-1-tim.gardner@canonical.com> Message-ID: <149982aa-720-35be-4866-39259b92884d@linux.intel.com> References: <20210920154232.15494-1-tim.gardner@canonical.com> MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 20 Sep 2021, Tim Gardner wrote: > Coverity complains of a possible NULL dereference in > mptcp_getsockopt_subflow_addrs(): > > 861 } else if (sk->sk_family == AF_INET6) { > 3. returned_null: inet6_sk returns NULL. [show details] > 4. var_assigned: Assigning: np = NULL return value from inet6_sk. > 862 const struct ipv6_pinfo *np = inet6_sk(sk); > > Fix this by checking for NULL. > > Cc: Mat Martineau > Cc: Matthieu Baerts > Cc: "David S. Miller" > Cc: Jakub Kicinski > Cc: netdev@vger.kernel.org > Cc: mptcp@lists.linux.dev > Cc: linux-kernel@vger.kernel.org > Signed-off-by: Tim Gardner > > [ I'm not at all sure this is the right thing to do since the final result is to > return garbage to user space in mptcp_getsockopt_subflow_addrs(). Is this one > of those cases where inet6_sk() can't fail ?] Hi Tim - Thanks for noticing this and proposing a fix. As you commented, this isn't the right change to merge since mptcp_getsockopt_subflow_addrs() would copy garbage. This block of code already checks that CONFIG_IPV6 is enabled, so the question is whether sk_fullsock() would return false because the subflow is in TCP_TIME_WAIT or TCP_NEW_SYN_RECV. The caller is iterating over sockets in the MPTCP socket's conn_list, which does not contain request_socks (so there are no sockets in the TCP_NEW_SYN_RECV state). TCP subflow sockets are normally removed from the conn_list before they are closed by their parent MPTCP socket, but I need to double-check for corner cases. I created a github issue to track this: https://github.com/multipath-tcp/mptcp_net-next/issues/231 Thanks, Mat > --- > net/mptcp/sockopt.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/mptcp/sockopt.c b/net/mptcp/sockopt.c > index 8137cc3a4296..c89f2bedce79 100644 > --- a/net/mptcp/sockopt.c > +++ b/net/mptcp/sockopt.c > @@ -861,6 +861,9 @@ static void mptcp_get_sub_addrs(const struct sock *sk, struct mptcp_subflow_addr > } else if (sk->sk_family == AF_INET6) { > const struct ipv6_pinfo *np = inet6_sk(sk); > > + if (!np) > + return; > + > a->sin6_local.sin6_family = AF_INET6; > a->sin6_local.sin6_port = inet->inet_sport; > > -- > 2.33.0 > > -- Mat Martineau Intel