lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 04 Dec 2023 09:12:11 +0200
From: Rémi Denis-Courmont <remi@...lab.net>
To: Hyunwoo Kim <v4bel@...ori.io>, courmisch@...il.com
CC: v4bel@...ori.io, imv4bel@...il.com, davem@...emloft.net, edumazet@...gle.com,
 kuba@...nel.org, pabeni@...hat.com, netdev@...r.kernel.org
Subject: Re: [PATCH] net: phonet: Fix Use-After-Free in pep_recvmsg

Hi,

Le 4 décembre 2023 08:59:52 GMT+02:00, Hyunwoo Kim <v4bel@...ori.io> a écrit :
>Because pep_recvmsg() fetches the skb from pn->ctrlreq_queue
>without holding the lock_sock and then frees it,
>a race can occur with pep_ioctl().
>A use-after-free for a skb occurs with the following flow.

Isn't this the same issue that was reported by Huawei rootlab and for which I already provided a pair of patches to the security list two months ago?

TBH, I much prefer the approach in the other patch set, which takes the hit on the ioctl() side rather than the recvmsg()'s.

Unfortunately, I have no visibility on what happened or didn't happen after that, since the security list is private.

>```
>pep_recvmsg() -> skb_dequeue() -> skb_free_datagram()
>pep_ioctl() -> skb_peek()
>```
>Fix this by adjusting the scope of lock_sock in pep_recvmsg().
>
>Signed-off-by: Hyunwoo Kim <v4bel@...ori.io>
>---
> net/phonet/pep.c | 17 +++++++++++++----
> 1 file changed, 13 insertions(+), 4 deletions(-)
>
>diff --git a/net/phonet/pep.c b/net/phonet/pep.c
>index faba31f2eff2..212d8a9ddaee 100644
>--- a/net/phonet/pep.c
>+++ b/net/phonet/pep.c
>@@ -1250,12 +1250,17 @@ static int pep_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
> 	if (unlikely(1 << sk->sk_state & (TCPF_LISTEN | TCPF_CLOSE)))
> 		return -ENOTCONN;
> 
>+	lock_sock(sk);
>+
> 	if ((flags & MSG_OOB) || sock_flag(sk, SOCK_URGINLINE)) {
> 		/* Dequeue and acknowledge control request */
> 		struct pep_sock *pn = pep_sk(sk);
> 
>-		if (flags & MSG_PEEK)
>+		if (flags & MSG_PEEK) {
>+			release_sock(sk);
> 			return -EOPNOTSUPP;
>+		}
>+

Also this change is not really accounted for.

> 		skb = skb_dequeue(&pn->ctrlreq_queue);
> 		if (skb) {
> 			pep_ctrlreq_error(sk, skb, PN_PIPE_NO_ERROR,
>@@ -1263,12 +1268,14 @@ static int pep_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
> 			msg->msg_flags |= MSG_OOB;
> 			goto copy;
> 		}
>-		if (flags & MSG_OOB)
>+
>+		if (flags & MSG_OOB) {
>+			release_sock(sk);
> 			return -EINVAL;
>+		}
> 	}
> 
> 	skb = skb_recv_datagram(sk, flags, &err);
>-	lock_sock(sk);
> 	if (skb == NULL) {
> 		if (err == -ENOTCONN && sk->sk_state == TCP_CLOSE_WAIT)
> 			err = -ECONNRESET;
>@@ -1278,7 +1285,7 @@ static int pep_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
> 
> 	if (sk->sk_state == TCP_ESTABLISHED)
> 		pipe_grant_credits(sk, GFP_KERNEL);
>-	release_sock(sk);
>+
> copy:
> 	msg->msg_flags |= MSG_EOR;
> 	if (skb->len > len)
>@@ -1291,6 +1298,8 @@ static int pep_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
> 		err = (flags & MSG_TRUNC) ? skb->len : len;
> 
> 	skb_free_datagram(sk, skb);
>+
>+	release_sock(sk);
> 	return err;
> }
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ