lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20240814084622.555672-1-kuro@kuroa.me>
Date: Wed, 14 Aug 2024 16:46:22 +0800
From: Xueming Feng <kuro@...oa.me>
To: Lorenzo Colitti <lorenzo@...gle.com>
Cc: "David S . Miller" <davem@...emloft.net>,
	netdev@...r.kernel.org,
	Eric Dumazet <edumazet@...gle.com>,
	Jason Xing <kerneljasonxing@...il.com>,
	Neal Cardwell <ncardwell@...gle.com>,
	Yuchung Cheng <ycheng@...gle.com>,
	Soheil Hassas Yeganeh <soheil@...gle.com>,
	David Ahern <dsahern@...nel.org>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH net,v2] tcp: fix forever orphan socket caused by tcp_abort

On Mon, Aug 14, 2024 at 7:34 AM Lorenzo Colitti <lorenzo@...gle.com> wrote:
> On Mon, Aug 12, 2024 at 7:53 PM Xueming Feng <kuro@...oa.me> wrote:
> > The -ENOENT code comes from the associate patch Lorenzo made for
> > iproute2-ss; link attached below.
> 
> ENOENT does seem reasonable. It's the same thing that would happen if
> userspace passed in a nonexistent cookie (we have a test for that).

In the latest TCP RFC 9293, section 3.10.5 on the ABORT CALL, it mentions
that an "error: connection does not exist" to be returned for a CLOSED 
STATE. I noticed this while verifying whether a reset in the FIN-WAIT 
STATE is legal, which it is.

> I'd guess this could happen if userspace was trying to destroy a
> socket but it lost the race against the process owning a socket
> closing it?

Yes, that’s exactly the scenario I'm addressing. I tested this locally
by calling tcp_diag twice with the same socket pointer.

> 
> >        bh_unlock_sock(sk);
> >        local_bh_enable();
> > -       tcp_write_queue_purge(sk);
> 
> Is this not necessary in any other cases? What if there is
> retransmitted data, shouldn't that be cleared?

The tcp_write_queue_purge() function is indeed invoked within 
tcp_done_with_error(). In this patch, the tcp_done_with_error is elevated
to the same logical level where tcp_write_queue_purge would typically be 
called. The difference is that the purge happens just before tcp_done.
So the queue should still be cleared in other scenarios as well.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ