| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89iLLuUG-6QaOzTt8UFszpOKkjKhXqDmgDMW1L5GctsqL-g@mail.gmail.com>
Date: Wed, 1 Jul 2020 08:15:10 -0700
From: Eric Dumazet <edumazet@...gle.com>
To: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
Cc: Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
Linus Torvalds <torvalds@...ux-foundation.org>,
linux-kernel <linux-kernel@...r.kernel.org>,
netdev <netdev@...r.kernel.org>,
Yuchung Cheng <ycheng@...gle.com>,
Jonathan Rajotte-Julien <joraj@...icios.com>
Subject: Re: [regression] TCP_MD5SIG on established sockets
On Wed, Jul 1, 2020 at 5:19 AM Mathieu Desnoyers
<mathieu.desnoyers@...icios.com> wrote:
> The approach below looks good to me, but you'll also need to annotate
> both tcp_md5_hash_key and tcp_md5_do_add with __no_kcsan or use
> data_race(expr) to let the concurrency sanitizer know that there is
> a known data race which is there on purpose (triggered by memcpy in tcp_md5_do_add
> and somewhere within crypto_ahash_update). See Documentation/dev-tools/kcsan.rst
> for details.
Sure, I can add a data_race() and let stable teams handle the
backports without it ;)
>
> Thanks,
>
> Mathieu
>
> >
> > diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> > index
> > f111660453241692a17c881dd6dc2910a1236263..c3af8180c7049d5c4987bf5c67e4aff2ed6967c9
> > 100644
> > --- a/net/ipv4/tcp.c
> > +++ b/net/ipv4/tcp.c
> > @@ -4033,11 +4033,9 @@ EXPORT_SYMBOL(tcp_md5_hash_skb_data);
> >
> > int tcp_md5_hash_key(struct tcp_md5sig_pool *hp, const struct
> > tcp_md5sig_key *key)
> > {
> > - u8 keylen = key->keylen;
> > + u8 keylen = READ_ONCE(key->keylen); /* paired with
> > WRITE_ONCE() in tcp_md5_do_add */
> > struct scatterlist sg;
> >
> > - smp_rmb(); /* paired with smp_wmb() in tcp_md5_do_add() */
> > -
> > sg_init_one(&sg, key->key, keylen);
> > ahash_request_set_crypt(hp->md5_req, &sg, NULL, keylen);
> > return crypto_ahash_update(hp->md5_req);
> > diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> > index
> > 99916fcc15ca0be12c2c133ff40516f79e6fdf7f..0d08e0134335a21d23702e6a5c24a0f2b3c61c6f
> > 100644
> > --- a/net/ipv4/tcp_ipv4.c
> > +++ b/net/ipv4/tcp_ipv4.c
> > @@ -1114,9 +1114,13 @@ int tcp_md5_do_add(struct sock *sk, const union
> > tcp_md5_addr *addr,
> > /* Pre-existing entry - just update that one. */
> > memcpy(key->key, newkey, newkeylen);
> >
> > - smp_wmb(); /* pairs with smp_rmb() in tcp_md5_hash_key() */
> > + /* Pairs with READ_ONCE() in tcp_md5_hash_key().
> > + * Also note that a reader could catch new key->keylen value
> > + * but old key->key[], this is the reason we use __GFP_ZERO
> > + * at sock_kmalloc() time below these lines.
> > + */
> > + WRITE_ONCE(key->keylen, newkeylen);
> >
> > - key->keylen = newkeylen;
> > return 0;
> > }
> >
> > @@ -1132,7 +1136,7 @@ int tcp_md5_do_add(struct sock *sk, const union
> > tcp_md5_addr *addr,
> > rcu_assign_pointer(tp->md5sig_info, md5sig);
> > }
> >
> > - key = sock_kmalloc(sk, sizeof(*key), gfp);
> > + key = sock_kmalloc(sk, sizeof(*key), gfp | __GFP_ZERO);
> > if (!key)
> > return -ENOMEM;
> > if (!tcp_alloc_md5sig_pool()) {
>
> --
> Mathieu Desnoyers
> EfficiOS Inc.
> http://www.efficios.com
Powered by blists - more mailing lists