| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87y2temzrt.fsf@cloudflare.com>
Date: Fri, 07 Feb 2020 11:56:38 +0100
From: Jakub Sitnicki <jakub@...udflare.com>
To: Lorenz Bauer <lmb@...udflare.com>
Cc: John Fastabend <john.fastabend@...il.com>,
Daniel Borkmann <daniel@...earbox.net>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Alexei Starovoitov <ast@...nel.org>,
Martin KaFai Lau <kafai@...com>,
Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
Andrii Nakryiko <andriin@...com>, kernel-team@...udflare.com,
netdev@...r.kernel.org, bpf@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH bpf] bpf: sockmap: check update requirements after locking
On Fri, Feb 07, 2020 at 11:37 AM CET, Lorenz Bauer wrote:
> It's currently possible to insert sockets in unexpected states into
> a sockmap, due to a TOCTTOU when updating the map from a syscall.
> sock_map_update_elem checks that sk->sk_state == TCP_ESTABLISHED,
> locks the socket and then calls sock_map_update_common. At this
> point, the socket may have transitioned into another state, and
> the earlier assumptions don't hold anymore. Crucially, it's
> conceivable (though very unlikely) that a socket has become unhashed.
> This breaks the sockmap's assumption that it will get a callback
> via sk->sk_prot->unhash.
>
> Fix this by checking the (fixed) sk_type and sk_protocol without the
> lock, followed by a locked check of sk_state.
>
> Unfortunately it's not possible to push the check down into
> sock_(map|hash)_update_common, since BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB
> run before the socket has transitioned from TCP_SYN_RECV into
> TCP_ESTABLISHED.
>
> Signed-off-by: Lorenz Bauer <lmb@...udflare.com>
> Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
> ---
> net/core/sock_map.c | 16 ++++++++++------
> 1 file changed, 10 insertions(+), 6 deletions(-)
>
> diff --git a/net/core/sock_map.c b/net/core/sock_map.c
> index 8998e356f423..36a2433e183f 100644
> --- a/net/core/sock_map.c
> +++ b/net/core/sock_map.c
> @@ -416,14 +416,16 @@ static int sock_map_update_elem(struct bpf_map *map, void *key,
> ret = -EINVAL;
> goto out;
> }
> - if (!sock_map_sk_is_suitable(sk) ||
> - sk->sk_state != TCP_ESTABLISHED) {
> + if (!sock_map_sk_is_suitable(sk)) {
> ret = -EOPNOTSUPP;
> goto out;
> }
>
> sock_map_sk_acquire(sk);
> - ret = sock_map_update_common(map, idx, sk, flags);
> + if (sk->sk_state != TCP_ESTABLISHED)
> + ret = -EOPNOTSUPP;
> + else
> + ret = sock_map_update_common(map, idx, sk, flags);
> sock_map_sk_release(sk);
> out:
> fput(sock->file);
> @@ -739,14 +741,16 @@ static int sock_hash_update_elem(struct bpf_map *map, void *key,
> ret = -EINVAL;
> goto out;
> }
> - if (!sock_map_sk_is_suitable(sk) ||
> - sk->sk_state != TCP_ESTABLISHED) {
> + if (!sock_map_sk_is_suitable(sk)) {
> ret = -EOPNOTSUPP;
> goto out;
> }
>
> sock_map_sk_acquire(sk);
> - ret = sock_hash_update_common(map, key, sk, flags);
> + if (sk->sk_state != TCP_ESTABLISHED)
> + ret = -EOPNOTSUPP;
> + else
> + ret = sock_hash_update_common(map, key, sk, flags);
> sock_map_sk_release(sk);
> out:
> fput(sock->file);
> --
> 2.20.1
Thanks for fixing this, Lorenz. I'll adapt socket state checks on update
in "Extend SOCKMAP to store listening sockets" series accordingly.
Reviewed-by: Jakub Sitnicki <jakub@...udflare.com>
Powered by blists - more mailing lists