| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Nov 2015 13:28:18 +0100 From: Hannes Frederic Sowa <hannes@...essinduktion.org> To: Rainer Weikusat <rweikusat@...ileactivedefense.com> Cc: Jason Baron <jbaron@...mai.com>, Dmitry Vyukov <dvyukov@...gle.com>, syzkaller <syzkaller@...glegroups.com>, Michal Kubecek <mkubecek@...e.cz>, Al Viro <viro@...iv.linux.org.uk>, linux-fsdevel@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>, David Miller <davem@...emloft.net>, David Howells <dhowells@...hat.com>, Paul Moore <paul@...l-moore.com>, salyzyn@...roid.com, sds@...ho.nsa.gov, ying.xue@...driver.com, netdev <netdev@...r.kernel.org>, Kostya Serebryany <kcc@...gle.com>, Alexander Potapenko <glider@...gle.com>, Andrey Konovalov <andreyknvl@...gle.com>, Sasha Levin <sasha.levin@...cle.com>, Julien Tinnes <jln@...gle.com>, Kees Cook <keescook@...gle.com>, Mathias Krause <minipli@...glemail.com> Subject: Re: [PATCH] unix: avoid use-after-free in ep_remove_wait_queue Hello, On Tue, Nov 10, 2015, at 22:55, Rainer Weikusat wrote: > An AF_UNIX datagram socket being the client in an n:1 association with > some server socket is only allowed to send messages to the server if the > receive queue of this socket contains at most sk_max_ack_backlog > datagrams. This implies that prospective writers might be forced to go > to sleep despite none of the message presently enqueued on the server > receive queue were sent by them. In order to ensure that these will be > woken up once space becomes again available, the present unix_dgram_poll > routine does a second sock_poll_wait call with the peer_wait wait queue > of the server socket as queue argument (unix_dgram_recvmsg does a wake > up on this queue after a datagram was received). This is inherently > problematic because the server socket is only guaranteed to remain alive > for as long as the client still holds a reference to it. In case the > connection is dissolved via connect or by the dead peer detection logic > in unix_dgram_sendmsg, the server socket may be freed despite "the > polling mechanism" (in particular, epoll) still has a pointer to the > corresponding peer_wait queue. There's no way to forcibly deregister a > wait queue with epoll. > > Based on an idea by Jason Baron, the patch below changes the code such > that a wait_queue_t belonging to the client socket is enqueued on the > peer_wait queue of the server whenever the peer receive queue full > condition is detected by either a sendmsg or a poll. A wake up on the > peer queue is then relayed to the ordinary wait queue of the client > socket via wake function. The connection to the peer wait queue is again > dissolved if either a wake up is about to be relayed or the client > socket reconnects or a dead peer is detected or the client socket is > itself closed. This enables removing the second sock_poll_wait from > unix_dgram_poll, thus avoiding the use-after-free, while still ensuring > that no blocked writer sleeps forever. This whole patch seems pretty complicated to me. Can't we just remove the unix_recvq_full checks alltogether and unify unix_dgram_poll with unix_poll? If we want to be cautious we could simply make unix_max_dgram_qlen limit the number of skbs which are in flight from a sending socket. The skb destructor can then decrement this. This seems much simpler. Would this work? Thanks, Hannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists