| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Y8FDhdy3s1z/JxAi@kroah.com>
Date: Fri, 13 Jan 2023 12:41:57 +0100
From: Greg KH <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Jakub Kicinski <kuba@...nel.org>, pabeni@...hat.com,
slipper.alive@...il.com, stable-commits@...r.kernel.org
Subject: Re: Patch "net/ulp: prevent ULP without clone op from entering the
LISTEN status" has been added to the 5.4-stable tree
On Thu, Jan 12, 2023 at 08:03:10PM +0100, Greg KH wrote:
> On Thu, Jan 12, 2023 at 10:57:31AM -0800, Jakub Kicinski wrote:
> > On Thu, 12 Jan 2023 14:49:28 +0100 Greg KH wrote:
> > > On Thu, Jan 12, 2023 at 02:44:09PM +0100, gregkh@...uxfoundation.org wrote:
> > > >
> > > > This is a note to let you know that I've just added the patch titled
> > > >
> > > > net/ulp: prevent ULP without clone op from entering the LISTEN status
> > > >
> > > > to the 5.4-stable tree which can be found at:
> > > > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> > >
> > > Oops, nope, this broke the build for 5.4 and older kernels, now
> > > dropping.
> >
> > There's no clone op, right?
>
> Correct.
>
> > If you're willing to futz with it I think
> > you just need to remove the "and the ops don't have ->clone" part of
> > the conditions. Any presence of ops on older kernels should make us
> > bail.
Ok, I've queued up the following patch for 5.4. and older. Let me know
if I've messed anything up here, but it at least builds for me :)
thanks,
greg k-h
------------
>From 2c02d41d71f90a5168391b6a5f2954112ba2307c Mon Sep 17 00:00:00 2001
From: Paolo Abeni <pabeni@...hat.com>
Date: Tue, 3 Jan 2023 12:19:17 +0100
Subject: net/ulp: prevent ULP without clone op from entering the LISTEN status
From: Paolo Abeni <pabeni@...hat.com>
commit 2c02d41d71f90a5168391b6a5f2954112ba2307c upstream.
When an ULP-enabled socket enters the LISTEN status, the listener ULP data
pointer is copied inside the child/accepted sockets by sk_clone_lock().
The relevant ULP can take care of de-duplicating the context pointer via
the clone() operation, but only MPTCP and SMC implement such op.
Other ULPs may end-up with a double-free at socket disposal time.
We can't simply clear the ULP data at clone time, as TLS replaces the
socket ops with custom ones assuming a valid TLS ULP context is
available.
Instead completely prevent clone-less ULP sockets from entering the
LISTEN status.
Fixes: 734942cc4ea6 ("tcp: ULP infrastructure")
Reported-by: slipper <slipper.alive@...il.com>
Signed-off-by: Paolo Abeni <pabeni@...hat.com>
Link: https://lore.kernel.org/r/4b80c3d1dbe3d0ab072f80450c202d9bc88b4b03.1672740602.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@...nel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
net/ipv4/inet_connection_sock.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -902,11 +902,25 @@ void inet_csk_prepare_forced_close(struc
}
EXPORT_SYMBOL(inet_csk_prepare_forced_close);
+static int inet_ulp_can_listen(const struct sock *sk)
+{
+ const struct inet_connection_sock *icsk = inet_csk(sk);
+
+ if (icsk->icsk_ulp_ops)
+ return -EINVAL;
+
+ return 0;
+}
+
int inet_csk_listen_start(struct sock *sk, int backlog)
{
struct inet_connection_sock *icsk = inet_csk(sk);
struct inet_sock *inet = inet_sk(sk);
- int err = -EADDRINUSE;
+ int err;
+
+ err = inet_ulp_can_listen(sk);
+ if (unlikely(err))
+ return err;
reqsk_queue_alloc(&icsk->icsk_accept_queue);
Powered by blists - more mailing lists