| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Aug 2012 13:14:42 +0400
From: Stanislav Kinsbursky <skinsbursky@...allels.com>
To: Neal Cardwell <ncardwell@...gle.com>
CC: David Miller <davem@...emloft.net>,
"dhowells@...hat.com" <dhowells@...hat.com>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"rick.jones2@...com" <rick.jones2@...com>,
"ycheng@...gle.com" <ycheng@...gle.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"mikulas@...ax.karlin.mff.cuni.cz" <mikulas@...ax.karlin.mff.cuni.cz>
Subject: Re: [PATCH] tun: don't zeroize sock->file on detach
21.08.2012 21:18, Neal Cardwell пишет:
> On Tue, Aug 21, 2012 at 12:04 PM, Stanislav Kinsbursky
> <skinsbursky@...allels.com> wrote:
>> 10.08.2012 03:16, David Miller пишет:
>>
>>> From: Stanislav Kinsbursky <skinsbursky@...allels.com>
>>> Date: Thu, 09 Aug 2012 16:50:40 +0400
>>>
>>>> This is a fix for bug, introduced in 3.4 kernel by commit
>>>> 1ab5ecb90cb6a3df1476e052f76a6e8f6511cb3d, which, among other things,
>>>> replaced
>>>> simple sock_put() by sk_release_kernel(). Below is sequence, which leads
>>>> to
>>>> oops for non-persistent devices:
>>>>
>>>> tun_chr_close()
>>>> tun_detach() <== tun->socket.file = NULL
>>>> tun_free_netdev()
>>>> sk_release_sock()
>>>> sock_release(sock->file == NULL)
>>>> iput(SOCK_INODE(sock)) <== dereference on NULL pointer
>>>>
>>>> This patch just removes zeroing of socket's file from __tun_detach().
>>>> sock_release() will do this.
>>>>
>>>> Cc: stable@...r.kernel.org
>>>> Reported-by: Ruan Zhijie <ruanzhijie@...mail.com>
>>>> Tested-by: Ruan Zhijie <ruanzhijie@...mail.com>
>>>> Acked-by: Al Viro <viro@...IV.linux.org.uk>
>>>> Acked-by: Eric Dumazet <edumazet@...gle.com>
>>>> Acked-by: Yuchung Cheng <ycheng@...gle.com>
>>>> Signed-off-by: Stanislav Kinsbursky <skinsbursky@...allels.com>
>>>
>>>
>>> Applied, thanks.
>>>
>>
>> Hi, David.
>> I found out, that this commit: b09e786bd1dd66418b69348cb110f3a64764626a
>> was previous attempt to fix the problem.
>> I believe this commit have to be dropped.
>
> Have you tried testing with that commit reverted? AFAICT from reading
> the code, if you revert b09e786bd1dd66418b69348cb110f3a64764626a then
> the sockets_in_use count becomes incorrect, because sock_release()
> will be calling this_cpu_sub() for each tun socket teardown when there
> was no corresponding this_cpu_add() for the tun socket (because the
> tun socket is not allocated with sock_alloc()).
>
> Can you sketch in more detail why that commit should be dropped?
>
Yep, I've noticed, that first commit patch fixes two problems simultaneously.
Here are they:
1) Dereference of invalid SOCK_INODE()
2) sockets_in_use incorrect value.
But I believe, that introducing new SOCK_EXTERNALLY_ALLOCATED socket flag and
use it in generic code just to handle tun issues is overkill.
My patch solves first problem mush simpler, than mentioned commit.
About second problem...
What about this:
diff --git a/net/socket.c b/net/socket.c
index dfe5b66..dab462b 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -526,8 +526,8 @@ void sock_release(struct socket *sock)
if (test_bit(SOCK_EXTERNALLY_ALLOCATED, &sock->flags))
return;
- this_cpu_sub(sockets_in_use, 1);
if (!sock->file) {
+ this_cpu_sub(sockets_in_use, 1);
iput(SOCK_INODE(sock));
return;
}
?
> neal
>
--
Best regards,
Stanislav Kinsbursky
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists