lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 11 Apr 2011 08:36:02 -0500
From:	"Serge E. Hallyn" <serge@...lyn.com>
To:	Rob Landley <rlandley@...allels.com>
Cc:	linux-kernel@...r.kernel.org, linux-nfs@...r.kernel.org,
	containers@...ts.linux-foundation.org,
	Trond Myklebust <Trond.Myklebust@...app.com>,
	Tim Spriggs <tims@...irise.org>,
	Kir Kolyshkin <kir@...allels.com>,
	Pavel Emelyanov <xemul@...allels.com>
Subject: Re: [PATCH 3/3] Compare namespaces when comparing addresses in
 auth_unix cache.

Quoting Rob Landley (rlandley@...allels.com):
> On 04/08/2011 10:08 AM, Rob Landley wrote:
> > On 04/04/2011 10:46 PM, Serge E. Hallyn wrote:
> >> Does this need to take a reference?  Or is there no way for an
> >> entry to outlive its netns?  It sort of looks like
> >> svcauth_unix_info_release will ensure that doesn't happen, but
> >> I'm not convinced because other parts of the kernel can get
> >> to ip_map_init through the struct cache_detail.
> > 
> > When I wrote this I thought the transport's get_net() and put_net()
> > would pin it, but after re-reading, the sunrpc code is disgustingly
> > convoluted enough that I can't easily reconstruct my earlier reasoning.
> >  I'll add a get_net() and put_net() just to not have to worry about it.
> 
> Ah-ha!
> 
> Stanislav Kinsbursky helped me reconstruct some of the reasoning: we
> don't need to take a reference because we never actually dereference the
> struct net *, all we do is feed them to net_eq() which just compares the
> pointers for equality.  (The inline function exists so it can compile to
> a constant "return 1" when configured out.)
> 
> So if the network context did go away (which still shouldn't happen
> between the rpc_xprt and the struct nfs_client having references to it)
> we still wouldn't have a use-after-free problem because we're not
> looking at the memory, just the pointer.

Besides use-after-free, the other concern is an invalid net_eq()
result due to the * being re-used for a new netns.  I assume that's
deemed "super-duper impossible" again bc of the rpc_xprt/nfs_client
references to it?

> So I shouldn't need to add get_net() and put_net() to the cache.  Sound
> about right?

thanks,
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ