lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <55F17D69.2050404@gmail.com>
Date:	Thu, 10 Sep 2015 09:54:01 -0300
From:	Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
To:	David Miller <davem@...emloft.net>
Cc:	netdev@...r.kernel.org, vyasevich@...il.com, nhorman@...driver.com,
	linux-sctp@...r.kernel.org
Subject: Re: [PATCH net] sctp: fix race on protocol/netns initialization

Em 09-09-2015 21:16, David Miller escreveu:
> From: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
> Date: Wed,  9 Sep 2015 17:03:01 -0300
>
>> So the fix then is to invert the initialization order inside
>> register_pernet_subsys() so that the control socket is created by last
>> and also block socket creation if netns initialization wasn't yet
>> performed.
>
> If we really need to we could make ->create() fail with -EAFNOSUPPORT
> if kern==1 until the protocol is fully setup.
>
> Or, instead of failing, we could make such ->create() calls block
> until the control sock init is complete or fails.

I guess I should have written that paragraph in another order, perhaps like:
So the fix then is to deny any sctp socket creation until netns 
initialization is sufficiently done. And due to that, we have to 
initialize the control socket as last step in netns initialization, as 
now it can't be created earlier anymore.

Is it clearer on the intention?

And my emphasis on userspace sockets was to highlight that a random user 
could trigger it, but yes both users are affected by the issue.

Strictly speaking, we would have to block ->create() not until the 
control socket init is done but until the protocol is fully loaded. Such 
condition, with this patch, is after net->sctp.auto_asconf_splist is 
initialized. But for blocking until instead of just denying, we would 
need some other mechanism.

It would be better from the (sctp) user point of view but then such 
solution may better belong to another layer instead and protect all 
protocols at once. (I checked and couldn't find other protocols at risk 
like sctp)

> We have actually several visibility issues wrt. control sockets on
> protocol init, in general.
>
> For example, such control sockets can briefly be hashed and visible
> to socket dumps and packet input.
>
> A lot of really tricky issues involved here.

Agreed, but does these still apply after explaining that paragraph/the 
solution? I had no intention on visiting these issues with this patch, 
they are left unchanged, but I can if a better solution for the original 
issue calls for it.

   Marcelo

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ