| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 May 2018 22:18:10 -0400 (EDT)
From: David Miller <davem@...emloft.net>
To: willemdebruijn.kernel@...il.com
Cc: netdev@...r.kernel.org, willemb@...gle.com
Subject: Re: [PATCH net] ipv4: remove warning in ip_recv_error
From: Willem de Bruijn <willemdebruijn.kernel@...il.com>
Date: Wed, 23 May 2018 14:29:52 -0400
> From: Willem de Bruijn <willemb@...gle.com>
>
> A precondition check in ip_recv_error triggered on an otherwise benign
> race. Remove the warning.
>
> The warning triggers when passing an ipv6 socket to this ipv4 error
> handling function. RaceFuzzer was able to trigger it due to a race
> in setsockopt IPV6_ADDRFORM.
...
> This socket option converts a v6 socket that is connected to a v4 peer
> to an v4 socket. It updates the socket on the fly, changing fields in
> sk as well as other structs. This is inherently non-atomic. It races
> with the lockless udp_recvmsg path.
>
> No other code makes an assumption that these fields are updated
> atomically. It is benign here, too, as ip_recv_error cares only about
> the protocol of the skbs enqueued on the error queue, for which
> sk_family is not a precise predictor (thanks to another isue with
> IPV6_ADDRFORM).
>
> Link: http://lkml.kernel.org/r/20180518120826.GA19515@dragonet.kaist.ac.kr
> Fixes: ("7ce875e5ecb8 ipv4: warn once on passing AF_INET6 socket to ip_recv_error")
> Reported-by: DaeRyong Jeong <threeearcat@...il.com>
> Suggested-by: Eric Dumazet <edumazet@...gle.com>
> Signed-off-by: Willem de Bruijn <willemb@...gle.com>
Applied and queued up for -stable.
The SHA1_ID doesn't go inside the (" ") of the Fixes tag, I fixed
it up this time.
Powered by blists - more mailing lists