lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 7 Jul 2018 07:56:08 -0600
From:   David Ahern <dsa@...ulusnetworks.com>
To:     Eric Dumazet <eric.dumazet@...il.com>,
        David Miller <davem@...emloft.net>, lorenzo@...gle.com
Cc:     netdev@...r.kernel.org, astrachan@...gle.com,
        subashab@...eaurora.org
Subject: Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets
 in tcp_abort

On 7/7/18 7:51 AM, Eric Dumazet wrote:
> 
> 
> On 07/07/2018 06:45 AM, Eric Dumazet wrote:
>>
>>
>> On 07/07/2018 06:33 AM, David Ahern wrote:
>>> On 7/7/18 7:11 AM, David Miller wrote:
>>>> From: Lorenzo Colitti <lorenzo@...gle.com>
>>>> Date: Sat,  7 Jul 2018 16:31:40 +0900
>>>>
>>>>> Tested: passes Android sock_diag_test.py, which exercises this codepath
>>>>
>>>> If this Android test case exercises this path, why didn't it trigger
>>>> the double free and thus cause this bug to be found much sooner?
>>>>
>>>
>>> wondering the same. How can I get access to sock_diag_test.py?
>>>
>>
>> I would simply use ss -tKa src :443 command on a live web server ;)
>>
>> Note to readers : Do not try that unless you want to kill your server.
>>
>>
> 
> Here is a packetdrill test :

So I have to either learn how to use packetdrill or install a web server
and put load on it. If the Android tests are not publicly available then
the reference should be removed from the commit log.


> 
> // Test SOCK_DESTROY on SYN_RECV request sockets
> // We use the "ss" socket statistics tool, which uses inet_diag sockets.
> 
> // ss -K can be slow
> --tolerance_usecs=15000
> 
> 
>     0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
>    +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
>    +0 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
>    +0 bind(3, ..., ...) = 0
>    +0 listen(3, 1) = 0
> 
>    +0 < S 0:0(0) win 32792 <mss 1000,sackOK,nop,nop,nop,wscale 2>
>    +0 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 8>
> 
> // ss -K is scary ! Do not mess with the filter or risk killing a lot of flows
>    +0 `ss -t -K -n state SYN-RECV src :8080 >/dev/null`
> 
>   +.1 < . 1:1(0) ack 1 win 32890
>    +0 > R 1:1(0)
> 
> // The listener was not killed, but has no available child -> -1 EAGAIN
>    +0 accept(3, ..., ...) = -1 EAGAIN (Resource temporarily unavailable)
> 

I'll give this a try later. Thanks,

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ