漏洞标题
修复 mptcp 中在重传时对 sk_forward_memory 的破坏
漏洞描述信息
在Linux内核中,已解决了以下漏洞:
- mptcp:修复了在重传时导致sk_forward_memory损坏的问题。
MPTCP的sk_forward_memory处理方式有些特殊,因为此类字段是由msk套接字的spin_lock保护的,而不是普通的套接字锁。
目前存在一条代码路径,在更新此类字段的同时并未处理相关的锁:
`_mptcp_retrans() -> __mptcp_clean_una_wakeup()`
在`__mptcp_clean_una_wakeup()`中的几个辅助函数可能会更新sk_forward_alloc,从而可能造成此类字段损坏,正如Matthieu报告的那样。
为解决这个问题,我们可以提供并使用一个新版本的blamed函数,它会明确获取msk spin lock。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞类别
跨界内存写
漏洞标题
mptcp: fix sk_forward_memory corruption on retransmission
漏洞描述信息
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix sk_forward_memory corruption on retransmission
MPTCP sk_forward_memory handling is a bit special, as such field
is protected by the msk socket spin_lock, instead of the plain
socket lock.
Currently we have a code path updating such field without handling
the relevant lock:
__mptcp_retrans() -> __mptcp_clean_una_wakeup()
Several helpers in __mptcp_clean_una_wakeup() will update
sk_forward_alloc, possibly causing such field corruption, as reported
by Matthieu.
Address the issue providing and using a new variant of blamed function
which explicitly acquires the msk spin lock.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Linux kernel 安全漏洞
漏洞描述信息
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 存在安全漏洞,该漏洞源于 mptcp 模块在重传时 sk_forward_memory 方法可能损坏。
CVSS信息
N/A
漏洞类别
其他