lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 06 Jun 2007 07:26:52 +0200 From: Miklos Szeredi <miklos@...redi.hu> To: davem@...emloft.net CC: netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] fix race in AF_UNIX > > From: Miklos Szeredi <miklos@...redi.hu> > > Date: Mon, 04 Jun 2007 11:45:32 +0200 > > > > > > A recv() on an AF_UNIX, SOCK_STREAM socket can race with a > > > > send()+close() on the peer, causing recv() to return zero, even though > > > > the sent data should be received. > > > > > > > > This happens if the send() and the close() is performed between > > > > skb_dequeue() and checking sk->sk_shutdown in unix_stream_recvmsg(): > > > > > > > > process A skb_dequeue() returns NULL, there's no data in the socket queue > > > > process B new data is inserted onto the queue by unix_stream_sendmsg() > > > > process B sk->sk_shutdown is set to SHUTDOWN_MASK by unix_release_sock() > > > > process A sk->sk_shutdown is checked, unix_release_sock() returns zero > > > > > > This is only part of the story. It turns out, there are other races > > > involving the garbage collector, that can throw away perfectly good > > > packets with AF_UNIX sockets in them. > > > > > > The problems arise when a socket goes from installed to in-flight or > > > vica versa during garbage collection. Since gc is done with a > > > spinlock held, this only shows up on SMP. > > > > > > The following patch fixes it for me, but it's possibly the wrong > > > approach. > > > > > > Signed-off-by: Miklos Szeredi <mszeredi@...e.cz> > > Concerning this specific patch I think we need to rethink it > a bit. > > Holding a global mutex over recvmsg() calls under AF_UNIX is pretty > much a non-starter, this will kill performance for multi-threaded > apps. That's an rwsem held for read. It's held for write in unix_gc() only for a short duration, and unix_gc() should only rarely be called. So I don't think there's any performance problem here. > > One possible solution is for the garbage collection code to hold the > u->readlock while processing a socket, but be careful about deadlocks. That would have exactly the same effect. Only the code would be more complicated. Miklos - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists