lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <83947731-d800-9a1f-71f9-4460c46e322a@schaufler-ca.com>
Date:   Wed, 31 Mar 2021 08:40:54 -0700
From:   Casey Schaufler <casey@...aufler-ca.com>
To:     刘亚灿 <yacanliu@....com>
Cc:     "David S. Miller" <davem@...emloft.net>,
        LKML <linux-kernel@...r.kernel.org>,
        Linux Security Module list 
        <linux-security-module@...r.kernel.org>,
        Casey Schaufler <casey@...aufler-ca.com>
Subject: Re: Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab breaks Smack TCP
 connections

On 3/30/2021 7:44 PM, 刘亚灿 wrote:
> Hi Casev:
>
> A quote from the listen(2) man page on my Ubuntu system:
> The backlog argument defines the maximum length to which 
> the queue of pending connections for sockfd may grow.
> I think this implies that the 'backlog' must be greater than zero.
> In the test source file (tools/smack-ipv4-tcp-peersec.c) Line 60
> I found the following code:
> if (listen(firstsock, 0) < 0) {
> 	    printf("%s-listen\n", argv[0]);
> 	    exit(1);
> }
> That means that sock will not accept any requests, 
> so client TCP connections hang with SYN_SENT.

Interesting. Prior to this change the code above was
accepting connections. I also tried code that uses a
backlog of 0 on a system without an LSM and discovered
the same behavior. That is, it accepted connections
with a 0 backlog before the change, and hangs after.

Is this a bug fix?

> In openssh case, it use SSH_LISTEN_BACKLOG as 128.
>
> At 2021-03-30 23:42:04, "Casey Schaufler" <casey@...aufler-ca.com> wrote:
>> Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab 'net: correct
>> sk_acceptq_is_full()' breaks a system with the Smack LSM.
>> Reverting this change results in a return to correct behavior.
>>
>> The Smack testsuite can be found at:
>> 	https://github.com/smack-team/smack-testsuite.git
>>
>> The failing test is ipv4-tcp-local-peersec.sh, but it seems
>> that most TCP connections hang with SYN_SENT. Oddly, ssh
>> to 127.0.0.1 works, but other TCP connections timeout.
>>
>>
>>
>>
>
>
>  
>
>
>  

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ