Date:   Tue, 16 Jan 2018 11:44:25 +0100
From:   Guillaume Nault <g.nault@...halink.fr>
To:     Tom Herbert <tom@...bertland.com>
Cc:     netdev@...r.kernel.org, James Chapman <jchapman@...alix.com>
Subject: Re: [PATCH net-next] kcm: do not attach sockets if sk_user_data is
 already used

On Sun, Jan 14, 2018 at 11:32:57AM +0000, James Chapman wrote:
> SIOCKCMATTACH writes a connected socket's sk_user_data for its own
> use. Prevent it doing so if the socket's sk_user_data is already set
> since some sockets (e.g. encapsulated sockets) use sk_user_data
> internally.
> 
> diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
> index d4e98f20fc2a..65392ed58f4a 100644
> --- a/net/kcm/kcmsock.c
> +++ b/net/kcm/kcmsock.c
> @@ -1391,6 +1391,10 @@ static int kcm_attach(struct socket *sock, struct socket *csock,
>  	if (csk->sk_family == PF_KCM)
>  		return -EOPNOTSUPP;
>  
> +	/* Cannot proceed if connected socket already uses sk_user_data */
> +	if (csk->sk_user_data)
> +		return -EOPNOTSUPP;
> +
>  	psock = kmem_cache_zalloc(kcm_psockp, GFP_KERNEL);
>  	if (!psock)
>  		return -ENOMEM;
> 
Isn't that racy? What if sk_user_data was concurrently set right after
this test?
Also, it looks like we could create a UDP socket, attach it to KCM,
then create an L2TP tunnel on this same UDP socket. l2tp_tunnel_create()
or setup_udp_tunnel_sock() would unconditionally overwrite
sk_user_data, which will probably confuse KCM.

Tom, if I understand KCM correctly, it only makes sense to attach it to
SOCK_STREAM sockets. Shouldn't that be enforced? Maybe we should
restrict it even further, so that only known KCM-safe sockets could be
attached (that is, reject anything that isn't AF_INET* | SOCK_STREAM).

Powered by blists - more mailing lists