lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 May 2015 20:16:02 +0200 From: Hannes Frederic Sowa <hannes@...essinduktion.org> To: Mark Salyzyn <salyzyn@...roid.com>, Hannes Frederic Sowa <hannes@...hat.com> Cc: linux-kernel@...r.kernel.org, "David S. Miller" <davem@...emloft.net>, Al Viro <viro@...iv.linux.org.uk>, David Howells <dhowells@...hat.com>, Ying Xue <ying.xue@...driver.com>, Christoph Hellwig <hch@....de>, netdev@...r.kernel.org Subject: Re: net/unix: sk_socket can disappear when state is unlocked On Fri, May 22, 2015, at 18:24, Mark Salyzyn wrote: > On 05/22/2015 08:35 AM, Hannes Frederic Sowa wrote: > > I still wonder if we need to actually recheck the condition and not > > simply break out of unix_stream_data_wait: > > > > We return to the unix_stream_recvmsg loop and recheck the > > sk_receive_queue. At this point sk_receive_queue is not really protected > > with unix_state_lock against concurrent modification with unix_release, > > as such we could end up concurrently dequeueing packets if socket is > > DEAD. > sock destroy(sic) is called before sock_orphan which sets SOCK_DEAD, so > the receive queue has already been drained. I am still afraid that there is a race: When we break out in unix_stream_data_wait we most of the time hit the continue statement in unix_stream_recvmsg. Albeit we acquired state lock again, we could end up in a situation where the sk_receive_queue is not completely drained. We would miss the recheck of the sk_shutdown mask, because it is possible we dequeue a non-null skb from the receive queue. This is because unix_release_sock acquires state lock, sets appropriate flags but the draining of the receive queue does happen without locks, state lock is unlocked before that. So theoretically both, release_sock and recvmsg could dequeue skbs concurrently in nondeterministic behavior. The fix would be to recheck SOCK_DEAD or even better, sk_shutdown right after we reacquired state_lock and break out of the loop altogether, maybe with -ECONNRESET. Thanks, Hannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists