| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260203200242.404131-1-kuniyu@google.com>
Date: Tue, 3 Feb 2026 19:47:50 +0000
From: Kuniyuki Iwashima <kuniyu@...gle.com>
To: mhal@...x.co
Cc: bpf@...r.kernel.org, daniel@...earbox.net, davem@...emloft.net,
edumazet@...gle.com, horms@...nel.org, jakub@...udflare.com,
john.fastabend@...il.com, kuba@...nel.org, kuniyu@...gle.com,
linux-kernel@...r.kernel.org, martin.lau@...ux.dev, netdev@...r.kernel.org,
pabeni@...hat.com
Subject: Re: [PATCH bpf] bpf, sockmap: Fix af_unix null-ptr-deref in proto update
From: Michal Luczaj <mhal@...x.co>
Date: Tue, 3 Feb 2026 10:57:46 +0100
> On 2/3/26 04:53, Martin KaFai Lau wrote:
> > On 2/2/26 7:10 AM, Michal Luczaj wrote:
> >> In related news, looks like bpf_iter_unix_seq_show() is missing
> >> unix_state_lock(): lock_sock_fast() won't stop unix_release_sock(). E.g.
> >> bpf iterator can grab unix_sock::peer as it is being released.
> >
> > If the concern is the bpf iterator prog may use a released unix_peer(sk)
> > pointer, it should be fine. The unix_peer(sk) pointer is not a trusted
> > pointer to the bpf prog, so nothing bad will happen other than
> > potentially reading incorrect values.
>
> But if the prog passes a released peer pointer to a bpf helper:
>
> BUG: KASAN: slab-use-after-free in bpf_skc_to_unix_sock+0x95/0xb0
> Read of size 1 at addr ffff888110654c92 by task test_progs/1936
Can you cook a patch for this ? probably like below
---8<---
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 02ebad6afac7..9c7e9fbde362 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -3740,8 +3740,9 @@ static int bpf_iter_unix_seq_show(struct seq_file *seq, void *v)
return 0;
slow = lock_sock_fast(sk);
+ unix_state_lock(sk);
- if (unlikely(sk_unhashed(sk))) {
+ if (unlikely(sock_flag(other, SOCK_DEAD))) {
ret = SEQ_SKIP;
goto unlock;
}
@@ -3751,6 +3752,7 @@ static int bpf_iter_unix_seq_show(struct seq_file *seq, void *v)
prog = bpf_iter_get_info(&meta, false);
ret = unix_prog_seq_show(prog, &meta, v, uid);
unlock:
+ unix_staet_unlock(sk);
unlock_sock_fast(sk, slow);
return ret;
}
---8<---
Thanks!
Powered by blists - more mailing lists