lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 12 Nov 2022 17:01:30 +0800
From:   mingkun bian <bianmingkun@...il.com>
To:     netdev@...r.kernel.org
Subject: [ISSUE] suspicious sock leak

Hi,
    I found a problem that a sock whose state is ESTABLISHED is not
freed to slab cache by __sock_free.
    The test scenario is as follows:

    1. A HTTP Server,I insert a node to ebpf
map(BPF_MAP_TYPE_LRU_HASH) by BPF_MAP_UPDATE_ELEM when receiving a
"HTTP GET" request in user application.
    ebpf map is:
    key: cookie(getsockopt(fd, SOL_SOCKET, SO_COOKIE, &cookie, &optlen))
    value: saddr sport daddr dport cookie...

    2. I delete the corresponding ebpf map node by "kprobe __sk_free"
in ebpf as following, bpf_map_delete_elem keeps returning 0.

    SEC("kprobe/__sk_free")
    int bpf_prog_destroy_sock(struct pt_regs *ctx)
    {
        struct sock *sk;
        __u64 cookie;
       struct  tcp_infos *value;

       sk = (struct sock *) PT_REGS_PARM1(ctx);
       bpf_probe_read(&cookie, sizeof(sk->__sk_common.skc_cookie),
&sk->__sk_common.skc_cookie);
       value = bpf_map_lookup_elem(&bpfmap, &cookie);
       if (value) {
           if (bpf_map_delete_elem(&bpfmap, &cookie) != 0) {
               debugmsg("delete failed\n");
           }
       }
    }

   3. Sending pressure "HTTP GET" requests to HTTP Server for a while,
 then stop to send and close the HTTP Server, then wait a long time,
we can not see any tcpinfo by "netstat -anp", then error occurs:
    We can see some node which is not deleted int ebpf map by "bpftool
map dump id **", it seems like "sock leak", but the sockstat's
inuse(cat /proc/net/sockstat) does not increase quickly.

4. I did some more experiments by ebpf kprobe, I find that a
sock(state is ESTABLISHED, HTTP server recv a "HTTP GET" requset) does
not come in __sock_free, but the same sock will be reused by another
tcp connection(the most frequent is "127.0.0.1") after a while.
   What I doubt is that why a new tcp connection can resue a old sock
while the old sock does not come in __sk_free.

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ