| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Nov 2022 16:20:10 -0800
From: Kuniyuki Iwashima <kuniyu@...zon.com>
To: <joannelkoong@...il.com>
CC: <acme@...driva.com>, <davem@...emloft.net>, <dccp@...r.kernel.org>,
<dsahern@...nel.org>, <edumazet@...gle.com>, <kuba@...nel.org>,
<kuni1840@...il.com>, <kuniyu@...zon.com>, <martin.lau@...nel.org>,
<mathew.j.martineau@...ux.intel.com>, <netdev@...r.kernel.org>,
<pabeni@...hat.com>, <pengfei.xu@...el.com>,
<stephen@...workplumber.org>, <william.xuanziyang@...wei.com>,
<yoshfuji@...ux-ipv6.org>
Subject: Re: [PATCH v2 net 1/4] dccp/tcp: Reset saddr on failure after inet6?_hash_connect().
From: Joanne Koong <joannelkoong@...il.com>
Date: Wed, 16 Nov 2022 16:11:21 -0800
> On Wed, Nov 16, 2022 at 2:28 PM Kuniyuki Iwashima <kuniyu@...zon.com> wrote:
> >
> > When connect() is called on a socket bound to the wildcard address,
> > we change the socket's saddr to a local address. If the socket
> > fails to connect() to the destination, we have to reset the saddr.
> >
> > However, when an error occurs after inet_hash6?_connect() in
> > (dccp|tcp)_v[46]_conect(), we forget to reset saddr and leave
> > the socket bound to the address.
> >
> > From the user's point of view, whether saddr is reset or not varies
> > with errno. Let's fix this inconsistent behaviour.
> >
> > Note that after this patch, the repro [0] will trigger the WARN_ON()
> > in inet_csk_get_port() again, but this patch is not buggy and rather
> > fixes a bug papering over the bhash2's bug for which we need another
> > fix.
> >
> > For the record, the repro causes -EADDRNOTAVAIL in inet_hash6_connect()
> > by this sequence:
> >
> > s1 = socket()
> > s1.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
> > s1.bind(('127.0.0.1', 10000))
> > s1.sendto(b'hello', MSG_FASTOPEN, (('127.0.0.1', 10000)))
> > # or s1.connect(('127.0.0.1', 10000))
> >
> > s2 = socket()
> > s2.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
> > s2.bind(('0.0.0.0', 10000))
> > s2.connect(('127.0.0.1', 10000)) # -EADDRNOTAVAIL
> >
> > s2.listen(32) # WARN_ON(inet_csk(sk)->icsk_bind2_hash != tb2);
> >
> > [0]: https://syzkaller.appspot.com/bug?extid=015d756bbd1f8b5c8f09
> >
> > Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6")
> > Fixes: 7c657876b63c ("[DCCP]: Initial implementation")
> > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > Signed-off-by: Kuniyuki Iwashima <kuniyu@...zon.com>
>
> LGTM. Btw, the 4th patch in this series overwrites these changes by
> moving this logic into the new inet_bhash2_reset_saddr() function you
> added, so we could also drop this patch from the series. OTOH, this
> commit message in this patch has some good background context. So I
> don't have a preference either way :)
>
> Acked-by: Joanne Koong <joannelkoong@...il.com>
Thanks for reviewing!
Yes, these changes are overwritten later, but only this patch can be
backported to other stable versions, so I kept this separated.
> > ---
> > net/dccp/ipv4.c | 2 ++
> > net/dccp/ipv6.c | 2 ++
> > net/ipv4/tcp_ipv4.c | 2 ++
> > net/ipv6/tcp_ipv6.c | 2 ++
> > 4 files changed, 8 insertions(+)
> >
> > diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
> > index 713b7b8dad7e..40640c26680e 100644
> > --- a/net/dccp/ipv4.c
> > +++ b/net/dccp/ipv4.c
> > @@ -157,6 +157,8 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
> > * This unhashes the socket and releases the local port, if necessary.
> > */
> > dccp_set_state(sk, DCCP_CLOSED);
> > + if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> > + inet_reset_saddr(sk);
> > ip_rt_put(rt);
> > sk->sk_route_caps = 0;
> > inet->inet_dport = 0;
> > diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
> > index e57b43006074..626166cb6d7e 100644
> > --- a/net/dccp/ipv6.c
> > +++ b/net/dccp/ipv6.c
> > @@ -985,6 +985,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
> >
> > late_failure:
> > dccp_set_state(sk, DCCP_CLOSED);
> > + if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> > + inet_reset_saddr(sk);
> > __sk_dst_reset(sk);
> > failure:
> > inet->inet_dport = 0;
> > diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> > index 87d440f47a70..6a3a732b584d 100644
> > --- a/net/ipv4/tcp_ipv4.c
> > +++ b/net/ipv4/tcp_ipv4.c
> > @@ -343,6 +343,8 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
> > * if necessary.
> > */
> > tcp_set_state(sk, TCP_CLOSE);
> > + if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> > + inet_reset_saddr(sk);
> > ip_rt_put(rt);
> > sk->sk_route_caps = 0;
> > inet->inet_dport = 0;
> > diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> > index 2a3f9296df1e..81b396e5cf79 100644
> > --- a/net/ipv6/tcp_ipv6.c
> > +++ b/net/ipv6/tcp_ipv6.c
> > @@ -359,6 +359,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
> >
> > late_failure:
> > tcp_set_state(sk, TCP_CLOSE);
> > + if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> > + inet_reset_saddr(sk);
> > failure:
> > inet->inet_dport = 0;
> > sk->sk_route_caps = 0;
> > --
> > 2.30.2
Powered by blists - more mailing lists