mptcp: Reset icsk_bind_hash to NULL to avoid use-after-free in inet_p…

…ut_port

Normally, the master-sk's icsk_bind_hash is going to be properly set by
the call to __inet_inherit_port in mptcp_create_master_sk(). However, if
we don't get there, it will be pointing to the same as the meta-socket
as sk_clone_lock inherits it. That's why in inet_csk_clone_lock() it is
set to NULL. We need to do the same!

Otherwise, we can panic when we hit the error code-path in
mptcp_create_master_sk():

==================================================================
BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:212 [inline]
BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:649 [inline]
BUG: KASAN: use-after-free in __sk_del_bind_node include/net/sock.h:698 [inline]
BUG: KASAN: use-after-free in __inet_put_port net/ipv4/inet_hashtables.c:114 [inline]
BUG: KASAN: use-after-free in inet_put_port+0x413/0x450 net/ipv4/inet_hashtables.c:124
Write of size 8 at addr ffff888068572e38 by task syz-executor.5/10165

CPU: 0 PID: 10165 Comm: syz-executor.5 Not tainted 4.14.104 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x7b/0xa6 lib/dump_stack.c:53
 print_address_description+0x6e/0x280 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x251/0x340 mm/kasan/report.c:409
 __write_once_size include/linux/compiler.h:212 [inline]
 __hlist_del include/linux/list.h:649 [inline]
 __sk_del_bind_node include/net/sock.h:698 [inline]
 __inet_put_port net/ipv4/inet_hashtables.c:114 [inline]
 inet_put_port+0x413/0x450 net/ipv4/inet_hashtables.c:124
 tcp_set_state+0x138/0x3c0 net/ipv4/tcp.c:2118
 tcp_done+0xf0/0x2a0 net/ipv4/tcp.c:3636
 mptcp_create_master_sk+0x1b5f/0x1f60 net/mptcp/mptcp_ctrl.c:1940
 mptcp_rcv_synsent_state_process+0x534/0x10c0 net/mptcp/mptcp_input.c:2291
 tcp_rcv_synsent_state_process+0x1908/0x2bc0 net/ipv4/tcp_input.c:5827
 tcp_rcv_state_process+0x71e/0x23d0 net/ipv4/tcp_input.c:6073
 tcp_v6_do_rcv+0x7a4/0x12f0 net/ipv6/tcp_ipv6.c:1381
 sk_backlog_rcv include/net/sock.h:907 [inline]
 __release_sock+0x187/0x2e0 net/core/sock.c:2289
 release_sock+0x54/0x190 net/core/sock.c:2804
 inet_stream_connect+0x76/0xa0 net/ipv4/af_inet.c:686
 SYSC_connect+0x18b/0x290 net/socket.c:1654
 do_syscall_64+0x194/0x490 arch/x86/entry/common.c:289
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x7f4326c4f469
RSP: 002b:00007f432733fdc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 000000000065bf00 RCX: 00007f4326c4f469
RDX: 000000000000001c RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00007f432733fde0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000040fac4
R13: 0000000000420248 R14: 00007f43273405c0 R15: 0000000000000005

Allocated by task 10165:
 save_stack+0x32/0xb0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xa0/0xd0 mm/kasan/kasan.c:551
 slab_post_alloc_hook mm/slab.h:442 [inline]
 slab_alloc_node mm/slub.c:2723 [inline]
 slab_alloc mm/slub.c:2731 [inline]
 kmem_cache_alloc+0xd0/0x1f0 mm/slub.c:2736
 inet_bind_bucket_create+0x25/0x240 net/ipv4/inet_hashtables.c:69
 __inet_hash_connect+0x498/0xb00 net/ipv4/inet_hashtables.c:608
 tcp_v6_connect+0xee8/0x1b50 net/ipv6/tcp_ipv6.c:287
 __inet_stream_connect+0x28c/0xb60 net/ipv4/af_inet.c:621
 inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:685
 SYSC_connect+0x18b/0x290 net/socket.c:1654
 do_syscall_64+0x194/0x490 arch/x86/entry/common.c:289
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2

Freed by task 10165:
 save_stack+0x32/0xb0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
 slab_free_hook mm/slub.c:1389 [inline]
 slab_free_freelist_hook mm/slub.c:1410 [inline]
 slab_free mm/slub.c:2966 [inline]
 kmem_cache_free+0x79/0x1f0 mm/slub.c:2988
 inet_bind_bucket_destroy net/ipv4/inet_hashtables.c:89 [inline]
 __inet_put_port net/ipv4/inet_hashtables.c:117 [inline]
 inet_put_port+0x373/0x450 net/ipv4/inet_hashtables.c:124
 tcp_set_state+0x138/0x3c0 net/ipv4/tcp.c:2118
 tcp_done+0xf0/0x2a0 net/ipv4/tcp.c:3636
 mptcp_create_master_sk+0x1b4f/0x1f60 net/mptcp/mptcp_ctrl.c:1938
 mptcp_rcv_synsent_state_process+0x534/0x10c0 net/mptcp/mptcp_input.c:2291
 tcp_rcv_synsent_state_process+0x1908/0x2bc0 net/ipv4/tcp_input.c:5827
 tcp_rcv_state_process+0x71e/0x23d0 net/ipv4/tcp_input.c:6073
 tcp_v6_do_rcv+0x7a4/0x12f0 net/ipv6/tcp_ipv6.c:1381
 sk_backlog_rcv include/net/sock.h:907 [inline]
 __release_sock+0x187/0x2e0 net/core/sock.c:2289
 release_sock+0x54/0x190 net/core/sock.c:2804
 inet_stream_connect+0x76/0xa0 net/ipv4/af_inet.c:686
 SYSC_connect+0x18b/0x290 net/socket.c:1654
 do_syscall_64+0x194/0x490 arch/x86/entry/common.c:289
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2

Fixes: Zero-day bug
Signed-off-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>

net/mptcp/mptcp_ctrl.c

@@ -1270,6 +1270,10 @@ static int mptcp_alloc_mpcb(struct sock *meta_sk, __u64 remote_key,
 	INIT_LIST_HEAD(&master_tp->tsorted_sent_queue);
 
 	master_sk->sk_tsq_flags = 0;
+	/* icsk_bind_hash inherited from the meta, but it will be properly set in
+	 * mptcp_create_master_sk. Same operation is done in inet_csk_clone_lock.
+	 */
+	inet_csk(master_sk)->icsk_bind_hash = NULL;
 
 	mutex_init(&mpcb->mpcb_mutex);