lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 23 Nov 2022 16:38:37 +0100
From:   Paolo Abeni <pabeni@...hat.com>
To:     Kuniyuki Iwashima <kuniyu@...zon.com>, harperchen1110@...il.com
Cc:     davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
        kuni1840@...il.com, netdev@...r.kernel.org,
        syzkaller@...glegroups.com
Subject: Re: [PATCH v1 net] af_unix: Call sk_diag_fill() under the bucket
 lock.

On Wed, 2022-11-23 at 07:22 -0800, Kuniyuki Iwashima wrote:
> From:   Wei Chen <harperchen1110@...il.com>
> Date:   Wed, 23 Nov 2022 23:09:53 +0800
> > Dear Paolo,
> > 
> > Could you explain the meaning of modified "ss" version to reproduce
> > the bug? I'd like to learn how to reproduce the bug in the user space
> > to facilitate the bug fix.
> 
> I think it means to drop NLM_F_DUMP and modify args as needed because
> ss dumps all sockets, not exactly a single socket.

Exactly! Additionally 'ss' must fill udiag_ino and udiag_cookie with
values matching a live unix socket. And before that you have to add
more code to allow 'ss' dumping such values (or fetch them with some
bpf/perf probe).

> 
> Ah, I misunderstood that the found sk is passed to sk_user_ns(), but it's
> skb->sk.

I did not double check the race you outlined in this patch. That could
still possibly be a valid/existing one.

> P.S.  I'm leaving for Japan today and will be bit slow this and next week
> for vacation.

Have a nice trip ;)

/P

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ