lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 06 Sep 2011 19:40:05 +0200
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Tim Chen <tim.c.chen@...ux.intel.com>
Cc:	"Yan, Zheng" <zheng.z.yan@...el.com>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	"davem@...emloft.net" <davem@...emloft.net>,
	"sfr@...b.auug.org.au" <sfr@...b.auug.org.au>,
	"jirislaby@...il.com" <jirislaby@...il.com>,
	"sedat.dilek@...il.com" <sedat.dilek@...il.com>, alex.shi@...el.com
Subject: Re: [PATCH -next v2] unix stream: Fix use-after-free crashes

Le mardi 06 septembre 2011 à 09:25 -0700, Tim Chen a écrit :
> On Sun, 2011-09-04 at 13:44 +0800, Yan, Zheng wrote:
> > Commit 0856a30409 (Scm: Remove unnecessary pid & credential references
> > in Unix socket's send and receive path) introduced a use-after-free bug.
> > It passes the scm reference to the first skb. Skb(s) afterwards may
> > reference freed data structure because the first skb can be destructed
> > by the receiver at anytime. The fix is by passing the scm reference to
> > the very last skb.
> > 
> > Signed-off-by: Zheng Yan <zheng.z.yan@...el.com>
> > Reported-by: Jiri Slaby <jirislaby@...il.com>
> > ---
> 
> Thanks for finding this bug in my original patch.  I've missed the case
> where receiving side could have released the all the references to the
> credential before the send side is using the credential again for
> subsequent skbs in the stream, thus causing the problem we saw.  Getting
> an extra reference for pid/credentials at the beginning of the stream
> and not getting reference for the last skb is the right approach.
> 
> Thanks also to Sedat, Valdis and Jiri for their extensive testing to
> discover the bug and testing the subsequent fixes. 
> 
> Acked-by: Tim Chen <tim.c.chen@...ux.intel.com>

What happens if message must be split in two skb,
first skb is built, queued (without scm reference)

Second skb allocation fails.

Rule about refs/norefs games is : As soon as you put skb into a list, it
should have all appropriate references if this skb has pointer(s) to
objects(s)

We should revert 0856a304091b33a and code the thing differently.

Instead of storing pointer to pid and cred in UNIXSKB(), why dont we
copy all needed information ? No ref counts at all.

skb->cb[] is large enough.



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ