| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 Dec 2021 14:17:58 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'Lee Jones' <lee.jones@...aro.org>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"Vlad Yasevich" <vyasevich@...il.com>,
Neil Horman <nhorman@...driver.com>,
Marcelo Ricardo Leitner <marcelo.leitner@...il.com>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
lksctp developers <linux-sctp@...r.kernel.org>,
"H.P. Yarroll" <piggy@....org>,
Karl Knutson <karl@...ena.chicago.il.us>,
Jon Grimm <jgrimm@...ibm.com>,
Xingang Guo <xingang.guo@...el.com>,
Hui Huang <hui.huang@...ia.com>,
Sridhar Samudrala <sri@...ibm.com>,
Daisy Chang <daisyc@...ibm.com>,
Ryan Layer <rmlayer@...ibm.com>,
Kevin Gao <kevin.gao@...el.com>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: RE: [PATCH v2 1/2] sctp: export sctp_endpoint_{hold,put}() and return
incremented endpoint
From: Lee Jones
> Sent: 17 December 2021 13:46
>
> net/sctp/diag.c for instance is built into its own separate module
> (sctp_diag.ko) and requires the use of sctp_endpoint_{hold,put}() in
> order to prevent a recently found use-after-free issue.
>
> In order to prevent data corruption of the pointer used to take a
> reference on a specific endpoint, between the time of calling
> sctp_endpoint_hold() and it returning, the API now returns a pointer
> to the exact endpoint that was incremented.
>
> For example, in sctp_sock_dump(), we could have the following hunk:
>
> sctp_endpoint_hold(tsp->asoc->ep);
> ep = tsp->asoc->ep;
> sk = ep->base.sk
> lock_sock(ep->base.sk);
>
> It is possible for this task to be swapped out immediately following
> the call into sctp_endpoint_hold() that would change the address of
> tsp->asoc->ep to point to a completely different endpoint. This means
> a reference could be taken to the old endpoint and the new one would
> be processed without a reference taken, moreover the new endpoint
> could then be freed whilst still processing as a result, causing a
> use-after-free.
>
> If we return the exact pointer that was held, we ensure this task
> processes only the endpoint we have taken a reference to. The
> resultant hunk now looks like this:
>
> ep = sctp_endpoint_hold(tsp->asoc->ep);
> sk = ep->base.sk
> lock_sock(sk);
Isn't that just the same as doing things in the other order?
ep = tsp->assoc->ep;
sctp_endpoint_hold(ep);
But if tsp->assoc->ep is allowed to change, can't it also change to
something invalid?
So I've have thought you should be holding some kind of lock that
stops the data being changed before being 'allowed' to follow the pointers.
In which case the current code is just a missing optimisatoion.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Powered by blists - more mailing lists