lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 20 Nov 2013 15:07:11 -0500 (EST)
From:	David Miller <davem@...emloft.net>
To:	dborkman@...hat.com
Cc:	netdev@...r.kernel.org, noureddine@...stanetworks.com,
	greearb@...delatech.com
Subject: Re: [PATCH net] packet: fix use after free race in send path when
 dev is released

From: Daniel Borkmann <dborkman@...hat.com>
Date: Wed, 20 Nov 2013 09:30:17 +0100

> On 11/20/2013 02:34 AM, David Miller wrote:
>> From: Daniel Borkmann <dborkman@...hat.com>
>> Date: Wed, 20 Nov 2013 00:08:23 +0100
>>
>>> To avoid reverting 827d9780 entirely, we could make use of po->running
>>> member that gets reset when we're calling __unregister_prot_hook() in
>>> packet_notifier() when we receive NETDEV_DOWN or NETDEV_UNREGISTER
>>> notification. Plus, we still need to hold ref to the netdev, so
>>> that we can assure it won't be released while we're in send path.
>>
>> The avoidance of the atomic ref counting of the network device is the
>> main performance gain we get from that commit.
>>
>> Now we'll be doing the refcount _and_ taking a spinlock, it'll be
>> worse than beforehand.
>>
>> And this is doubly silly because we already have a reference
>> when we install the device into po->prot_hook.dev
>>
>> I bet you can fix this by just deferring the NETDEV_UNREGISTER
>> AF_PACKET notifier work to RCU.
> 
> Yep, will try if this approach works, in other words doing the earlier
> exit via !po->running, plus deferring the dev_put() et al to RCU.

Thank you.  You might have to wrap the sendmsg path in an rcu lock
sequence.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ