| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Jun 2021 14:58:16 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Nguyen Dinh Phi <phind.uet@...il.com>
Cc: Neal Cardwell <ncardwell@...gle.com>,
David Miller <davem@...emloft.net>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
David Ahern <dsahern@...nel.org>,
Jakub Kicinski <kuba@...nel.org>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <kafai@...com>,
Song Liu <songliubraving@...com>,
John Fastabend <john.fastabend@...il.com>, kpsingh@...nel.org,
netdev <netdev@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>, bpf <bpf@...r.kernel.org>,
linux-kernel-mentees@...ts.linuxfoundation.org,
syzbot+f1e24a0594d4e3a895d3@...kaller.appspotmail.com,
Yuchung Cheng <ycheng@...gle.com>
Subject: Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.
On Tue, Jun 29, 2021 at 2:28 PM Nguyen Dinh Phi <phind.uet@...il.com> wrote:
>
> On June 29, 2021 4:21:59 PM GMT+08:00, Eric Dumazet <edumazet@...gle.com> wrote:
> >On Tue, Jun 29, 2021 at 9:17 AM Nguyen Dinh Phi <phind.uet@...il.com>
> >wrote:
> >>
> >> On June 29, 2021 1:20:19 AM GMT+08:00, Neal Cardwell
> ><ncardwell@...gle.com> wrote:
> >> >)
> >> >
> >> >On Mon, Jun 28, 2021 at 1:15 PM Phi Nguyen <phind.uet@...il.com>
> >wrote:
> >> >>
> >> >> On 6/29/2021 12:24 AM, Neal Cardwell wrote:
> >> >>
> >> >> > Thanks.
> >> >> >
> >> >> > Can you also please provide a summary of the event sequence that
> >> >> > triggers the bug? Based on your Reported-by tag, I guess this is
> >> >based
> >> >> > on the syzbot reproducer:
> >> >> >
> >> >> >
> >>
> >>https://groups.google.com/g/syzkaller-bugs/c/VbHoSsBz0hk/m/cOxOoTgPCAAJ
> >> >> >
> >> >> > but perhaps you can give a summary of the event sequence that
> >> >causes
> >> >> > the bug? Is it that the call:
> >> >> >
> >> >> > setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd,
> >> >> > &(0x7f0000000000)='cdg\x00', 0x4)
> >> >> >
> >> >> > initializes the CC and happens before the connection is
> >> >established,
> >> >> > and then when the connection is established, the line that sets:
> >> >> > icsk->icsk_ca_initialized = 0;
> >> >> > is incorrect, causing the CC to be initialized again without
> >first
> >> >> > calling the cleanup code that deallocates the CDG-allocated
> >memory?
> >> >> >
> >> >> > thanks,
> >> >> > neal
> >> >> >
> >> >>
> >> >> Hi Neal,
> >> >>
> >> >> The gdb stack trace that lead to init_transfer_input() is as
> >bellow,
> >> >the
> >> >> current sock state is TCP_SYN_RECV.
> >> >
> >> >Thanks. That makes sense as a snapshot of time for
> >> >tcp_init_transfer(), but I think what would be more useful would be
> >a
> >> >description of the sequence of events, including when the CC was
> >> >initialized previous to that point (as noted above, was it that the
> >> >setsockopt(TCP_CONGESTION) completed before that point?).
> >> >
> >> >thanks,
> >> >neal
> >>
> >> I resend my message because I accidently used html format in last
> >one. I am very sorry for the inconvenience caused.
> >> ---
> >> Yes, the CC had been initialized by the setsockopt, after that, it
> >was initialized again in function tcp_init_transfer() because of
> >setting isck_ca_initialized to 0.
> >
> >"the setsockopt" is rather vague, sorry.
> >
> >
> >The hard part is that all scenarios have to be considered.
> >
> >TCP flows can either be passive and active.
> >
> >CC can be set :
> >
> >1) Before the connect() or accept()
> >2) After the connect() or accept()
> >3) after the connect() but before 3WHS is completed.
> >
> >So we need to make sure all cases will still work with any combination
> >of CDG CC (before/after) in the picture.
> >
> >Note that a memory leak for a restricted CC (CDG can only be used by
> >CAP_NET_ADMIN privileged user)
> > is a small problem compared to more serious bug that could be added
> >by an incomplete fix.
> >
> >I also note that if icsk_ca_priv] was increased from 104 to 120 bytes,
> >tcp_cdg would no longer need a dynamic memory allocation.
> >
> >Thank you.
>
> Hi,
> I will try to see whether I am able to get the full sequence. I am also affraid of making a change that could affect big part of the kernel.
> About CDG, how we can get rid of dynamic allocation by increasing icsk_priv_data to 120? because I see that the window size is a module parameter, so I guess it is not a fixed value.
Given this module parameter is constant, I doubt anyone really uses a
bigger window.
If researchers want to experiment bigger window, they could adjust a
macro and recompile (#define TCP_CDG_WINDOW 8 -> X)
> Because the problem only happens with CDG, is adding check in its tcp_cdg_init() function Ok? And about icsk_ca_initialized, Could I expect it to be 0 in CC's init functions?
I think icsk_ca_initialized lost its strong meaning when CDG was
introduced (since this is the only CC allocating memory)
The bug really is that before clearing icsk_ca_initialized we should
call cc->release()
Maybe we missed this cleanup in commit
8919a9b31eb4fb4c0a93e5fb350a626924302aa6 ("tcp: Only init congestion
control if not initialized already")
Although I am not sure what happens at accept() time when the listener
socket is cloned.
If we make any hypothesis, we need to check all CC modules to make
sure they respect it.
>
> Thank you.
Powered by blists - more mailing lists