lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20090511184739.6e497f29@penta.localdomain>
Date:	Mon, 11 May 2009 18:47:39 -0400
From:	Yury Polyanskiy <ypolyans@...nceton.EDU>
To:	Herbert Xu <herbert@...dor.apana.org.au>
Cc:	"David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org
Subject: [IPSEC] xfrm_state locking problem in xfrm_input.c

xfrm_input() code uses spin_lock() where it must be using
spin_lock_bh() instead. The corresponding code in xfrm_output.c
correctly uses spin_lock_bh(). 

Note that if the locally generated packet is sent to a local ip,
dev_queue_xmit() calls loopback_xmit() and the xfrm_input() will be
called with softirqs enabled.

This might lead to a deadlock since x->lock is acquired in
xfrm_timer_handler().

Signed-off-by: Yury Polyanskiy <polyanskiy@...il.com>
---
 net/xfrm/xfrm_input.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index b4a1317..4494918 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -161,7 +161,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 
 		skb->sp->xvec[skb->sp->len++] = x;
 
-		spin_lock(&x->lock);
+		spin_lock_bh(&x->lock);
 		if (unlikely(x->km.state != XFRM_STATE_VALID)) {
 			XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEINVALID);
 			goto drop_unlock;
@@ -182,7 +182,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 			goto drop_unlock;
 		}
 
-		spin_unlock(&x->lock);
+		spin_unlock_bh(&x->lock);
 
 		XFRM_SKB_CB(skb)->seq.input = seq;
 
@@ -192,7 +192,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 			return 0;
 
 resume:
-		spin_lock(&x->lock);
+		spin_lock_bh(&x->lock);
 		if (nexthdr <= 0) {
 			if (nexthdr == -EBADMSG) {
 				xfrm_audit_state_icvfail(x, skb,
@@ -212,7 +212,7 @@ resume:
 		x->curlft.bytes += skb->len;
 		x->curlft.packets++;
 
-		spin_unlock(&x->lock);
+		spin_unlock_bh(&x->lock);
 
 		XFRM_MODE_SKB_CB(skb)->protocol = nexthdr;
 
@@ -260,7 +260,7 @@ resume:
 	}
 
 drop_unlock:
-	spin_unlock(&x->lock);
+	spin_unlock_bh(&x->lock);
 drop:
 	kfree_skb(skb);
 	return 0;
-- 
1.6.2.4




Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ