lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1315364126.3400.64.camel@edumazet-laptop>
Date:	Wed, 07 Sep 2011 04:55:26 +0200
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	"Yan, Zheng" <zheng.z.yan@...ux.intel.com>
Cc:	Tim Chen <tim.c.chen@...ux.intel.com>,
	"Yan, Zheng" <zheng.z.yan@...el.com>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	"davem@...emloft.net" <davem@...emloft.net>,
	"sfr@...b.auug.org.au" <sfr@...b.auug.org.au>,
	"jirislaby@...il.com" <jirislaby@...il.com>,
	"sedat.dilek@...il.com" <sedat.dilek@...il.com>, alex.shi@...el.com
Subject: Re: [PATCH -next v2] unix stream: Fix use-after-free crashes

Le mercredi 07 septembre 2011 à 07:09 +0800, Yan, Zheng a écrit :
> On Wed, Sep 7, 2011 at 4:19 AM, Eric Dumazet <eric.dumazet@...il.com> wrote:
> > Le mardi 06 septembre 2011 à 12:59 -0700, Tim Chen a écrit :
> >> On Tue, 2011-09-06 at 21:43 +0200, Eric Dumazet wrote:
> >> > Le mardi 06 septembre 2011 à 12:33 -0700, Tim Chen a écrit :
> >> >
> >> > > Yes, I think locking the sendmsg for the entire duration of
> >> > > unix_stream_sendmsg makes a lot of sense.  It simplifies the logic a lot
> >> > > more.  I'll try to cook something up in the next couple of days.
> >> >
> >> > Thats not really possible, we cant hold a spinlock and call
> >> > sock_alloc_send_skb() and/or memcpy_fromiovec(), wich might sleep.
> >> >
> >> > You would need to prepare the full skb list, then :
> >> > - stick the ref on the last skb of the list.
> >> >
> >> > Transfert the whole skb list in other->sk_receive_queue in one go,
> >> > instead of one after another.
> >> >
> >> > Unfortunately, this would break streaming (big send(), and another
> >> > thread doing the receive)
> >> >
> >> > Listen, I am wondering why hackbench even triggers SCM code. This is
> >> > really odd. We should not have a _single_ pid/cred ref/unref at all.
> >> >
> >>
> >> Hackbench triggers the code because it has a bunch of threads sending
> >> msgs on UNIX socket.
> >> >
> >>
> >> Well, if the lock socket approach doesn't work, then my original patch
> >> plus Yan Zheng's fix should still work.  I'll try to answer your
> >> objections below:
> >>
> >>
> >> > I was discussing of things after proposed patch, not current net-next.
> >> >
> >> > This reads :
> >> >
> >> > err = unix_scm_to_skb(siocb->scm, skb, !fds_sent, scm_ref);
> >> >
> >> > So first skb is sent without ref taken, as mentioned in Changelog ?
> >> >
> >>
> >> No. the first skb is sent *with* ref taken, as scm_ref is set to true for
> >> first skb.
> >>
> >> >
> >> > If second skb cannot be built, we exit this system call with an already
> >> > queued skb. Receiver can then access to freed memory.
> >> >
> >>
> >> No, we do have reference set.  For first skb, in unix_scm_to_skb.  For the
> >> second skb (which is the last skb), in scm_sent.  Should the second skb alloc failed,
> >> we'll release the ref in scm_destroy.  Otherwise, the receiver will release
> >> the references will consuming the skb.
> >>
> >
> > This is crap. This is not the intent of the code I read from the patch.
> >
> > unless scm_ref really means scm_noref ?
> >
> > I really hate this patch. I mean it.
> >
> > I read it 10 times, spent 2 hours and still dont understand it.
> >
> 
> Sorry, scm_ref means "sender hold a scm reference". I should add comment for it.

There is no "sender holds a scm reference" requirement.

The process is running, so holds a pid and cred by itself.

If pid/cred pointers are stuffed into skb->cb[], then each last skb must
holds its own reference to pid and cred.

Problem is : we dont know wich skb _is_ the last one, because we can
fail skb allocation or user->kernel copy any time.

Please David just revert 0856a304091b33a8e

I'll work today on a fix to performance regression added in 7361c36c



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ