| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20241007213502.28183-1-ignat@cloudflare.com>
Date: Mon, 7 Oct 2024 22:34:54 +0100
From: Ignat Korchagin <ignat@...udflare.com>
To: "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
Marcel Holtmann <marcel@...tmann.org>,
Johan Hedberg <johan.hedberg@...il.com>,
Luiz Augusto von Dentz <luiz.dentz@...il.com>,
Oliver Hartkopp <socketcan@...tkopp.net>,
Marc Kleine-Budde <mkl@...gutronix.de>,
Alexander Aring <alex.aring@...il.com>,
Stefan Schmidt <stefan@...enfreihafen.org>,
Miquel Raynal <miquel.raynal@...tlin.com>,
David Ahern <dsahern@...nel.org>,
Willem de Bruijn <willemdebruijn.kernel@...il.com>,
linux-bluetooth@...r.kernel.org,
linux-can@...r.kernel.org,
linux-wpan@...r.kernel.org
Cc: kernel-team@...udflare.com,
kuniyu@...zon.com,
alibuda@...ux.alibaba.com,
Ignat Korchagin <ignat@...udflare.com>
Subject: [PATCH v2 0/8] do not leave dangling sk pointers in pf->create functions
Some protocol family create() implementations have an error path after
allocating the sk object and calling sock_init_data(). sock_init_data()
attaches the allocated sk object to the sock object, provided by the
caller.
If the create() implementation errors out after calling sock_init_data(),
it releases the allocated sk object, but the caller ends up having a
dangling sk pointer in its sock object on return. Subsequent manipulations
on this sock object may try to access the sk pointer, because it is not
NULL thus creating a use-after-free scenario.
While the first patch in the series should be enough to handle this
scenario Eric Dumazet suggested that it would be a good idea to refactor
the code for the af_packet implementation to avoid the error path, which
leaves a dangling pointer, because it may be better for some tools like
kmemleak. I went a bit further and tried to actually fix all the
implementations, which could potentially leave a dangling sk pointer.
Changes in V2:
* reverted the change introduced in 6cd4a78d962b ("net: do not leave a
dangling sk pointer, when socket creation fails")
* added optional commits to all pf->create implementaions to clear the
sk pointer on error after sock_init_data()
Ignat Korchagin (8):
net: explicitly clear the sk pointer, when pf->create fails
af_packet: avoid erroring out after sock_init_data() in
packet_create()
Bluetooth: L2CAP: do not leave dangling sk pointer on error in
l2cap_sock_create()
Bluetooth: RFCOMM: avoid leaving dangling sk pointer in
rfcomm_sock_alloc()
net: af_can: do not leave a dangling sk pointer in can_create()
net: ieee802154: do not leave a dangling sk pointer in
ieee802154_create()
net: inet: do not leave a dangling sk pointer in inet_create()
inet6: do not leave a dangling sk pointer in inet6_create()
net/bluetooth/l2cap_sock.c | 1 +
net/bluetooth/rfcomm/sock.c | 10 +++++-----
net/can/af_can.c | 1 +
net/core/sock.c | 3 ---
net/ieee802154/socket.c | 12 +++++++-----
net/ipv4/af_inet.c | 22 ++++++++++------------
net/ipv6/af_inet6.c | 22 ++++++++++------------
net/packet/af_packet.c | 12 ++++++------
net/socket.c | 7 ++++++-
9 files changed, 46 insertions(+), 44 deletions(-)
--
2.39.5
Powered by blists - more mailing lists