lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Nov 2015 17:18:27 -0800 From: Eric Dumazet <edumazet@...gle.com> To: Rainer Weikusat <rweikusat@...ileactivedefense.com> Cc: Dmitry Vyukov <dvyukov@...gle.com>, Benjamin LaHaise <bcrl@...ck.org>, "David S. Miller" <davem@...emloft.net>, Hannes Frederic Sowa <hannes@...essinduktion.org>, Al Viro <viro@...iv.linux.org.uk>, David Howells <dhowells@...hat.com>, Ying Xue <ying.xue@...driver.com>, "Eric W. Biederman" <ebiederm@...ssion.com>, netdev <netdev@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, syzkaller <syzkaller@...glegroups.com>, Kostya Serebryany <kcc@...gle.com>, Alexander Potapenko <glider@...gle.com>, Sasha Levin <sasha.levin@...cle.com> Subject: Re: use-after-free in sock_wake_async On Tue, Nov 24, 2015 at 5:10 PM, Rainer Weikusat <rweikusat@...ileactivedefense.com> wrote: > > The af_unix part of this, yes, ie, what gets allocated in > unix_create1. But neither the socket inode nor the struct sock > originally passed to unix_create. Since these are part of the same > umbrella structure, they'll both be freed as consequence of the > sock_release iput. As far as I can tell (I don't claim that I'm > necessarily right on this, this is just the result of spending ca 2h > reading the code with the problem report in mind and looking for > something which could cause it), doing a sock_hold on the unix peer of > the socket in unix_stream_sendmsg is indeed not needed, however, there's > no additional reference to the inode or the struct sock accompanying it, > ie, both of these will be freed by unix_release_sock. This also affects > unix_dgram_sendmsg. > > It's also easy to verify: Swap the unix_state_lock and > other->sk_data_ready and see if the issue still occurs. Right now (this > may change after I had some sleep as it's pretty late for me), I don't > think there's another local fix: The ->sk_data_ready accesses a > pointer after the lock taken by the code which will clear and > then later free it was released. It seems that : int sock_wake_async(struct socket *sock, int how, int band) should really be changed to int sock_wake_async(struct socket_wq *wq, int how, int band) So that RCU rules (already present) apply safely. sk->sk_socket is inherently racy (that is : racy without using sk_callback_lock rwlock ) Other possibility would be _not_ calling sock_orphan() from unix_release_sock() -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists