lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Thu, 09 Mar 2017 18:21:27 -0800 (PST)
From:   David Miller <davem@...emloft.net>
To:     jmaxwell37@...il.com
Cc:     gerrit@....abdn.ac.uk, edumazet@...gle.com, andreyknvl@...gle.com,
        kuznet@....inr.ac.ru, jmorris@...ei.org, yoshfuji@...ux-ipv6.org,
        kaber@...sh.net, ncardwell@...gle.com, dccp@...r.kernel.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        jmaxwell@...hat.com, egarver@...hat.com, hsowa@...hat.com
Subject: Re: [PATCH net] dccp/tcp: fix routing redirect race

From: Jon Maxwell <jmaxwell37@...il.com>
Date: Thu,  9 Mar 2017 12:15:21 +1100

> We have seen a few incidents lately where a dst_enty has been freed
> with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that
> dst_entry. If the conditions/timings are right a crash then ensues when the
> freed dst_entry is referenced later on. A Common crashing back trace is:
 ...
> A closer look at the tcp_v4_err() handler revealed that do_redirect() will run
> regardless of whether user space has the socket locked. This can result in a 
> race condition where the same dst_entry cached in sk->sk_dst_entry can be 
> decremented twice for the same socket via: 
> 
> do_redirect()->__sk_dst_check()-> dst_release(). 
> 
> Which leads to the dst_entry being prematurely freed with another socket 
> pointing to it via sk->sk_dst_cache and a subsequent crash.
> 
> To fix this skip do_redirect() if usespace has the socket locked. Instead let 
> the redirect take place later when user space does not have the socket 
> locked.
> 
> The dccp code is very similar in this respect, so fixing it there too. 
> 
> As Eric Garver pointed out the following commit now invalidates routes. Which
> can set the dst->obsolete flag so that ipv4_dst_check() returns null and 
> triggers the dst_release().
> 
> Fixes: ceb3320610d6 ("ipv4: Kill routes during PMTU/redirect updates.")
> Cc: Eric Garver <egarver@...hat.com>
> Cc: Hannes Sowa <hsowa@...hat.com>
> Signed-off-by: Jon Maxwell <jmaxwell37@...il.com>

Please add the ipv6 side of this fix to this patch and repost.

Thank you.

Powered by blists - more mailing lists