lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210119171745.6840e3a5@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
Date:   Tue, 19 Jan 2021 17:17:45 -0800
From:   Jakub Kicinski <kuba@...nel.org>
To:     Kuniyuki Iwashima <kuniyu@...zon.co.jp>
Cc:     Eric Dumazet <edumazet@...gle.com>,
        "David S . Miller" <davem@...emloft.net>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        <netdev@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
        Kuniyuki Iwashima <kuni1840@...il.com>,
        Benjamin Herrenschmidt <benh@...zon.com>,
        Ricardo Dias <rdias@...glestore.com>
Subject: Re: [PATCH net] tcp: Fix potential use-after-free due to double
 kfree().

On Mon, 18 Jan 2021 14:59:20 +0900 Kuniyuki Iwashima wrote:
> Receiving ACK with a valid SYN cookie, cookie_v4_check() allocates struct
> request_sock and then can allocate inet_rsk(req)->ireq_opt. After that,
> tcp_v4_syn_recv_sock() allocates struct sock and copies ireq_opt to
> inet_sk(sk)->inet_opt. Normally, tcp_v4_syn_recv_sock() inserts the full
> socket into ehash and sets NULL to ireq_opt. Otherwise,
> tcp_v4_syn_recv_sock() has to reset inet_opt by NULL and free the full
> socket.
> 
> The commit 01770a1661657 ("tcp: fix race condition when creating child
> sockets from syncookies") added a new path, in which more than one cores
> create full sockets for the same SYN cookie. Currently, the core which
> loses the race frees the full socket without resetting inet_opt, resulting
> in that both sock_put() and reqsk_put() call kfree() for the same memory:
> 
>   sock_put
>     sk_free
>       __sk_free
>         sk_destruct
>           __sk_destruct
>             sk->sk_destruct/inet_sock_destruct
>               kfree(rcu_dereference_protected(inet->inet_opt, 1));
> 
>   reqsk_put
>     reqsk_free
>       __reqsk_free
>         req->rsk_ops->destructor/tcp_v4_reqsk_destructor
>           kfree(rcu_dereference_protected(inet_rsk(req)->ireq_opt, 1));
> 
> Calling kmalloc() between the double kfree() can lead to use-after-free, so
> this patch fixes it by setting NULL to inet_opt before sock_put().
> 
> As a side note, this kind of issue does not happen for IPv6. This is
> because tcp_v6_syn_recv_sock() clones both ipv6_opt and pktopts which
> correspond to ireq_opt in IPv4.
> 
> Fixes: 01770a166165 ("tcp: fix race condition when creating child sockets from syncookies")
> CC: Ricardo Dias <rdias@...glestore.com>
> Signed-off-by: Kuniyuki Iwashima <kuniyu@...zon.co.jp>
> Reviewed-by: Benjamin Herrenschmidt <benh@...zon.com>

Ricardo, Eric, any reason this was written this way?

> diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> index 58207c7769d0..87eb614dab27 100644
> --- a/net/ipv4/tcp_ipv4.c
> +++ b/net/ipv4/tcp_ipv4.c
> @@ -1595,6 +1595,8 @@ struct sock *tcp_v4_syn_recv_sock(const struct sock *sk, struct sk_buff *skb,
>  		tcp_move_syn(newtp, req);
>  		ireq->ireq_opt = NULL;
>  	} else {
> +		newinet->inet_opt = NULL;
> +
>  		if (!req_unhash && found_dup_sk) {
>  			/* This code path should only be executed in the
>  			 * syncookie case only
> @@ -1602,8 +1604,6 @@ struct sock *tcp_v4_syn_recv_sock(const struct sock *sk, struct sk_buff *skb,
>  			bh_unlock_sock(newsk);
>  			sock_put(newsk);
>  			newsk = NULL;
> -		} else {
> -			newinet->inet_opt = NULL;
>  		}
>  	}
>  	return newsk;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ