lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190813102705.1f312b67@cakuba.netronome.com>
Date:   Tue, 13 Aug 2019 10:27:05 -0700
From:   Jakub Kicinski <jakub.kicinski@...ronome.com>
To:     John Fastabend <john.fastabend@...il.com>
Cc:     Hillf Danton <hdanton@...a.com>,
        syzbot <syzbot+dcdc9deefaec44785f32@...kaller.appspotmail.com>,
        aviadye@...lanox.com, borisp@...lanox.com, daniel@...earbox.net,
        davejwatson@...com, davem@...emloft.net,
        linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        oss-drivers@...ronome.com, syzkaller-bugs@...glegroups.com,
        willemb@...gle.com
Subject: Re: general protection fault in tls_write_space

On Tue, 13 Aug 2019 10:17:06 -0700, John Fastabend wrote:
> > Followup of commit 95fa145479fb
> > ("bpf: sockmap/tls, close can race with map free")
> > 
> > --- a/net/tls/tls_main.c
> > +++ b/net/tls/tls_main.c
> > @@ -308,6 +308,9 @@ static void tls_sk_proto_close(struct so
> >  	if (free_ctx)
> >  		icsk->icsk_ulp_data = NULL;
> >  	sk->sk_prot = ctx->sk_proto;
> > +	/* tls will go; restore sock callback before enabling bh */
> > +	if (sk->sk_write_space == tls_write_space)
> > +		sk->sk_write_space = ctx->sk_write_space;
> >  	write_unlock_bh(&sk->sk_callback_lock);
> >  	release_sock(sk);
> >  	if (ctx->tx_conf == TLS_SW)  
> 
> Hi Hillf,
> 
> We need this patch (although slightly updated for bpf tree) do
> you want to send it? Otherwise I can. We should only set this if
> TX path was enabled otherwise we null it. Checking against
> tls_write_space seems best to me as well.
> 
> Against bpf this patch should fix it.
> 
> diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
> index ce6ef56a65ef..43252a801c3f 100644
> --- a/net/tls/tls_main.c
> +++ b/net/tls/tls_main.c
> @@ -308,7 +308,8 @@ static void tls_sk_proto_close(struct sock *sk, long timeout)
>         if (free_ctx)
>                 icsk->icsk_ulp_data = NULL;
>         sk->sk_prot = ctx->sk_proto;
> -       sk->sk_write_space = ctx->sk_write_space;
> +       if (sk->sk_write_space == tls_write_space)
> +               sk->sk_write_space = ctx->sk_write_space;
>         write_unlock_bh(&sk->sk_callback_lock);
>         release_sock(sk);
>         if (ctx->tx_conf == TLS_SW)

This is already in net since Friday:

commit 57c722e932cfb82e9820bbaae1b1f7222ea97b52
Author: Jakub Kicinski <jakub.kicinski@...ronome.com>
Date:   Fri Aug 9 18:36:23 2019 -0700

    net/tls: swap sk_write_space on close
    
    Now that we swap the original proto and clear the ULP pointer
    on close we have to make sure no callback will try to access
    the freed state. sk_write_space is not part of sk_prot, remember
    to swap it.
    
    Reported-by: syzbot+dcdc9deefaec44785f32@...kaller.appspotmail.com
    Fixes: 95fa145479fb ("bpf: sockmap/tls, close can race with map free")
    Signed-off-by: Jakub Kicinski <jakub.kicinski@...ronome.com>
    Signed-off-by: David S. Miller <davem@...emloft.net>

diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index 9cbbae606ced..ce6ef56a65ef 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -308,6 +308,7 @@ static void tls_sk_proto_close(struct sock *sk, long timeout)
        if (free_ctx)
                icsk->icsk_ulp_data = NULL;
        sk->sk_prot = ctx->sk_proto;
+       sk->sk_write_space = ctx->sk_write_space;
        write_unlock_bh(&sk->sk_callback_lock);
        release_sock(sk);
        if (ctx->tx_conf == TLS_SW)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ