lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20ea50c910654fa0abc601bbddc37eaf@AcuMS.aculab.com>
Date:   Sun, 19 Dec 2021 14:04:08 +0000
From:   David Laight <David.Laight@...LAB.COM>
To:     'Lee Jones' <lee.jones@...aro.org>
CC:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "Vlad Yasevich" <vyasevich@...il.com>,
        Neil Horman <nhorman@...driver.com>,
        "Marcelo Ricardo Leitner" <marcelo.leitner@...il.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        lksctp developers <linux-sctp@...r.kernel.org>,
        "H.P. Yarroll" <piggy@....org>,
        Karl Knutson <karl@...ena.chicago.il.us>,
        Jon Grimm <jgrimm@...ibm.com>,
        Xingang Guo <xingang.guo@...el.com>,
        Hui Huang <hui.huang@...ia.com>,
        Sridhar Samudrala <sri@...ibm.com>,
        Daisy Chang <daisyc@...ibm.com>,
        Ryan Layer <rmlayer@...ibm.com>,
        Kevin Gao <kevin.gao@...el.com>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: RE: [PATCH v2 1/2] sctp: export sctp_endpoint_{hold,put}() and return
 incremented endpoint

From: Lee Jones
> Sent: 17 December 2021 14:35
> 
> On Fri, 17 Dec 2021, David Laight wrote:
> 
> > From: Lee Jones
> > > Sent: 17 December 2021 13:46
> > >
> > > net/sctp/diag.c for instance is built into its own separate module
> > > (sctp_diag.ko) and requires the use of sctp_endpoint_{hold,put}() in
> > > order to prevent a recently found use-after-free issue.
> > >
> > > In order to prevent data corruption of the pointer used to take a
> > > reference on a specific endpoint, between the time of calling
> > > sctp_endpoint_hold() and it returning, the API now returns a pointer
> > > to the exact endpoint that was incremented.
> > >
> > > For example, in sctp_sock_dump(), we could have the following hunk:
> > >
> > > 	sctp_endpoint_hold(tsp->asoc->ep);
> > > 	ep = tsp->asoc->ep;
> > > 	sk = ep->base.sk
> > > 	lock_sock(ep->base.sk);
> > >
> > > It is possible for this task to be swapped out immediately following
> > > the call into sctp_endpoint_hold() that would change the address of
> > > tsp->asoc->ep to point to a completely different endpoint.  This means
> > > a reference could be taken to the old endpoint and the new one would
> > > be processed without a reference taken, moreover the new endpoint
> > > could then be freed whilst still processing as a result, causing a
> > > use-after-free.
> > >
> > > If we return the exact pointer that was held, we ensure this task
> > > processes only the endpoint we have taken a reference to.  The
> > > resultant hunk now looks like this:
> > >
> > > 	ep = sctp_endpoint_hold(tsp->asoc->ep);
> > > 	sk = ep->base.sk
> > > 	lock_sock(sk);
> >
> > Isn't that just the same as doing things in the other order?
> > 	ep = tsp->asoc->ep;
> > 	sctp_endpoint_hold(ep);
> 
> Sleep for a few milliseconds between those lines and see what happens.
> 
> 'ep' could still be freed between the assignment and the call.

It can also be freed half way through setting up the arguments to the call.
So any call:
		xxx(tsp->asoc->ep);
is only really valid if both tsp->asoc and asoc->ep are stable.
So it is exactly the same as doing:
		ep = tsp->asoc->ep;
		xxx(ep);
Returning the value of the argument doesn't help if any of the pointed-to
items can get freed.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ