lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Sun, 29 Mar 2020 20:25:03 +0200
From:   Tomasz Meresiński <tomasz@...esinski.eu>
To:     netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-api@...r.kernel.org
Cc:     davem@...emloft.net, kuba@...nel.org,
        Tomasz Meresiński <tomasz@...esinski.eu>
Subject: [PATCH RFC net-next] af_unix: eof in recvmsg after shutdown for nonblocking dgram socket

Calling recvmsg() after shutdown(SHUT_RD) is a some kind of undocumented
behaviour. For blocking socket it just returns 0 (EOF), but for nonblocking
socket it returns -EAGAIN. It can cause some event loops to infinitely wait
for an event on this socket (https://github.com/tokio-rs/tokio/issues/1679)

Simple Python test case:
| import socket
|
| print('BLOCKING TEST')
| a = socket.socket(family=socket.AF_UNIX, type=socket.SOCK_DGRAM)
| a.shutdown(socket.SHUT_RD)
|
| result = a.recv(1)
| print('recv result ', result)
|
| a.close()
|
| print('NONBLOCKING TEST')
| type = socket.SOCK_DGRAM | socket.SOCK_NONBLOCK
| a = socket.socket(family=socket.AF_UNIX, type=type)
| a.shutdown(socket.SHUT_RD)
|
| try:
|     result = a.recv(1)
| except BlockingIOError:
|     print('Got Blocking IO Error')
| else:
|     print('recv result ', result)
|
| a.close()

Signed-off-by: Tomasz Meresiński <tomasz@...esinski.eu>
---
I'm not so sure about this patch because it can be called userspace API break. 
This sequence is now some kind of undefined behaviour - it's documented nowhere.
In the first place, I think that shutdown(SHUT_RD) should fail here as it does with AF_INET dgram socket.
On the other hand, there may be some user of this kind of shutdown() behaviour so it'd be too risky.

The problem here is that EAGAIN errno is used in event loops as we should wait for the next events indicator.
It's not true here because there won't be any new events with this socket as it's shut down.

 net/unix/af_unix.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 3385a7a0b231..9458b11289c2 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2123,9 +2123,8 @@ static int unix_dgram_recvmsg(struct socket *sock, struct msghdr *msg,
 
 	if (!skb) { /* implies iolock unlocked */
 		unix_state_lock(sk);
-		/* Signal EOF on disconnected non-blocking SEQPACKET socket. */
-		if (sk->sk_type == SOCK_SEQPACKET && err == -EAGAIN &&
-		    (sk->sk_shutdown & RCV_SHUTDOWN))
+		/* Signal EOF on disconnected socket. */
+		if (err == -EAGAIN && (sk->sk_shutdown & RCV_SHUTDOWN))
 			err = 0;
 		unix_state_unlock(sk);
 		goto out;
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ