lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 9 Nov 2020 08:48:28 -0300 From: Thadeu Lima de Souza Cascardo <cascardo@...onical.com> To: Jakub Kicinski <kuba@...nel.org> Cc: Kleber Sacilotto de Souza <kleber.souza@...onical.com>, Eric Dumazet <edumazet@...gle.com>, netdev@...r.kernel.org, Gerrit Renker <gerrit@....abdn.ac.uk>, "David S. Miller" <davem@...emloft.net>, "Gustavo A. R. Silva" <gustavoars@...nel.org>, "Alexander A. Klimov" <grandmaster@...klimov.de>, Kees Cook <keescook@...omium.org>, Alexey Kodanev <alexey.kodanev@...cle.com>, dccp@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 1/2] dccp: ccid: move timers to struct dccp_sock On Fri, Oct 16, 2020 at 03:30:16PM -0700, Jakub Kicinski wrote: > On Tue, 13 Oct 2020 19:18:48 +0200 Kleber Sacilotto de Souza wrote: > > From: Thadeu Lima de Souza Cascardo <cascardo@...onical.com> > > > > When dccps_hc_tx_ccid is freed, ccid timers may still trigger. The reason > > del_timer_sync can't be used is because this relies on keeping a reference > > to struct sock. But as we keep a pointer to dccps_hc_tx_ccid and free that > > during disconnect, the timer should really belong to struct dccp_sock. > > > > This addresses CVE-2020-16119. > > > > Fixes: 839a6094140a (net: dccp: Convert timers to use timer_setup()) > > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@...onical.com> > > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@...onical.com> > > I've been mulling over this fix. > > The layering violation really doesn't sit well. > > We're reusing the timer object. What if we are really unlucky, the > fires and gets blocked by a cosmic ray just as it's about to try to > lock the socket, then user manages to reconnect, and timer starts > again. Potentially with a different CCID algo altogether? > > Is disconnect ever called under the BH lock? Maybe plumb a bool > argument through to ccid*_hc_tx_exit() and do a sk_stop_timer_sync() > when called from disconnect()? > > Or do refcounting on ccid_priv so that the timer holds both the socket > and the priv? Sorry about too late a response. I was on vacation, then came back and spent a couple of days testing this further, and had to switch to other tasks. So, while testing this, I had to resort to tricks like having a very small expire and enqueuing on a different CPU. Then, after some minutes, I hit a UAF. That's with or without the first of the second patch. I also tried to refcount ccid instead of the socket, keeping the timer on the ccid, but that still hit the UAF, and that's when I had to switch tasks. Oh, and in the meantime, I found one or two other fixes that we should apply, will send them shortly. But I would argue that we should apply the revert as it addresses the CVE, without really regressing the other UAF, as I argued. Does that make sense? Thank you. Cascardo.
Powered by blists - more mailing lists