lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 11 Nov 2020 18:05:55 +0000
From:   Ricardo Dias <rdias@...glestore.com>
To:     Eric Dumazet <edumazet@...gle.com>
Cc:     David Miller <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Alexey Kuznetsov <kuznet@....inr.ac.ru>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v3] tcp: fix race condition when creating child sockets
 from syncookies

On Wed, Nov 11, 2020 at 05:05:11PM +0100, Eric Dumazet wrote:
> On Wed, Nov 11, 2020 at 8:35 AM Ricardo Dias <rdias@...glestore.com> wrote:
>
> ...
> 
> > + * If an existing socket already exists, it returns that socket
> > + * through the osk parameter.
> 
> 
> I think this deserves a third parameter, to avoid confusion.

Yes, I agree. It will make much clearer the semantics of this function.

> ...
>
> > +                                       if (unlikely(!refcount_inc_not_zero(&esk->sk_refcnt)))
> 
> Can you explain how this could happen ?
> Again, we own the lock here, finding a socket in ehash, with a zero
> refcount can not happen.
> 
> Only a true rcu lookup could see a zero refcount.

Ah! Now I understand what you are saying. Indeed we just need to
increment the ref counter. We don't need to check if it's zero.

> ...
>
> > -               inet_ehash_nolisten(sk, (struct sock *)tw);
> > +               inet_ehash_nolisten(sk, (struct sock **)&tw);
> 
> Why could not we 'find' a prior socket, and since you ignore the result,
> leave a refcount increment, and a socket leak ?
> 
> Same remark for all callers.
> 
> >         }
> >         if (tw)
> 
> See the problem here ?
> 
> If tw was initially NULL, then inet_ehash_nolisten() could have overwritten tw
> with another socket.
> 
> Surely calling inet_twsk_bind_unhash() could be disastrous.

Yes, you're right.
I adapted this call to match the new signature assuming `tw` would never
be NULL. Shame on me for not noticing the `if (tw)` statement right
below :-).

I'll check each caller code, to make sure I'm not leaking the socket.


Thanks for your reviews. I'm learning more and more with each review
iteration.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ