tcp: tcp_child_process() related UAF

tcp_child_process( .. child ...) currently calls sock_put(child).

Unfortunately @child (named @nsk in callers) can be used after
this point to send a RST packet.

To fix this UAF, I remove the sock_put() from tcp_child_process()
and let the callers handle this after it is safe.

Remove @rsk variable in tcp_v4_do_rcv() and change tcp_v6_do_rcv()
so that both functions look the same.

Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
Reported-by: Damiano Melotti <melotti@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260505153927.3435532-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 8fc24c3743c5f905f8e07a26fb0edb40fb6ab767..c0526cc0398049fb34b5de20a1175d54942e80cd 100644 (file)
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1827,7 +1827,6 @@ INDIRECT_CALLABLE_DECLARE(struct dst_entry *ipv4_dst_check(struct dst_entry *,
 int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
 {
        enum skb_drop_reason reason;
-       struct sock *rsk;
 
        reason = psp_sk_rx_policy_check(sk, skb);
        if (reason)
@@ -1863,24 +1862,21 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
                        return 0;
                if (nsk != sk) {
                        reason = tcp_child_process(sk, nsk, skb);
-                       if (reason) {
-                               rsk = nsk;
+                       sock_put(nsk);
+                       if (reason)
                                goto reset;
-                       }
                        return 0;
                }
        } else
                sock_rps_save_rxhash(sk, skb);
 
        reason = tcp_rcv_state_process(sk, skb);
-       if (reason) {
-               rsk = sk;
+       if (reason)
                goto reset;
-       }
        return 0;
 
 reset:
-       tcp_v4_send_reset(rsk, skb, sk_rst_convert_drop_reason(reason));
+       tcp_v4_send_reset(sk, skb, sk_rst_convert_drop_reason(reason));
 discard:
        sk_skb_reason_drop(sk, skb, reason);
        /* Be careful here. If this function gets more complicated and
@@ -2193,8 +2189,10 @@ lookup:
 
                                rst_reason = sk_rst_convert_drop_reason(drop_reason);
                                tcp_v4_send_reset(nsk, skb, rst_reason);
+                               sock_put(nsk);
                                goto discard_and_relse;
                        }
+                       sock_put(nsk);
                        sock_put(sk);
                        return 0;
                }

diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 199f0b579e89cf25689e74a8d37bb0c022a6c92d..e6092c3ac840bdc1f62d4435c414e7f79edc10c2 100644 (file)
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -1012,6 +1012,6 @@ enum skb_drop_reason tcp_child_process(struct sock *parent, struct sock *child,
        }
 
        bh_unlock_sock(child);
-       sock_put(child);
+
        return reason;
 }

diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 2c3f7a739709d7b89f376f79b71173e5f2d8e64e..51583aef0643e92c961fc00f48f1192184d087ed 100644 (file)
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1617,12 +1617,13 @@ int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
        if (sk->sk_state == TCP_LISTEN) {
                struct sock *nsk = tcp_v6_cookie_check(sk, skb);
 
+               if (!nsk)
+                       return 0;
                if (nsk != sk) {
-                       if (nsk) {
-                               reason = tcp_child_process(sk, nsk, skb);
-                               if (reason)
-                                       goto reset;
-                       }
+                       reason = tcp_child_process(sk, nsk, skb);
+                       sock_put(nsk);
+                       if (reason)
+                               goto reset;
                        return 0;
                }
        } else
@@ -1827,8 +1828,10 @@ lookup:
 
                                rst_reason = sk_rst_convert_drop_reason(drop_reason);
                                tcp_v6_send_reset(nsk, skb, rst_reason);
+                               sock_put(nsk);
                                goto discard_and_relse;
                        }
+                       sock_put(nsk);
                        sock_put(sk);
                        return 0;
                }