lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Wed, 20 Feb 2019 19:47:39 +0000
From:   Al Viro <viro@...iv.linux.org.uk>
To:     netdev@...r.kernel.org
Subject: [RFC] odd checks in AF_UNIX ->recvmsg()

	Can ->recvmsg() (or ->splice_read(), for that matter)
overlap with ->release() of the socket it's reading from?

	I'd always assumed that to be impossible, but we have this
in unix_stream_read_generic():
redo:
                unix_state_lock(sk);
                if (sock_flag(sk, SOCK_DEAD)) {
                        err = -ECONNRESET;
                        goto unlock;
                }
                last = skb = skb_peek(&sk->sk_receive_queue);
                last_len = last ? last->len : 0;
		...

and sk comes from state->socket->sk, i.e. sock->sk of unix_stream_recvmsg()
and unix_stream_splice_read().  IOW, the socket being read from.  And
SOCK_DEAD is only set by sock_orphan(), which means that socket would
have to have gone through ->release().

What am I missing and how is that supposed to be triggered?  Note that
e.g. shutdown(2) doesn't set SOCK_DEAD - its effects are in ->sk_shutdown
and the same unix_stream_read_generic() does check for those separately.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ