| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <73f71d4e6f867a90538b48894249be3902eb38e4.camel@redhat.com>
Date: Wed, 23 Nov 2022 16:38:37 +0100
From: Paolo Abeni <pabeni@...hat.com>
To: Kuniyuki Iwashima <kuniyu@...zon.com>, harperchen1110@...il.com
Cc: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
kuni1840@...il.com, netdev@...r.kernel.org,
syzkaller@...glegroups.com
Subject: Re: [PATCH v1 net] af_unix: Call sk_diag_fill() under the bucket
lock.
On Wed, 2022-11-23 at 07:22 -0800, Kuniyuki Iwashima wrote:
> From: Wei Chen <harperchen1110@...il.com>
> Date: Wed, 23 Nov 2022 23:09:53 +0800
> > Dear Paolo,
> >
> > Could you explain the meaning of modified "ss" version to reproduce
> > the bug? I'd like to learn how to reproduce the bug in the user space
> > to facilitate the bug fix.
>
> I think it means to drop NLM_F_DUMP and modify args as needed because
> ss dumps all sockets, not exactly a single socket.
Exactly! Additionally 'ss' must fill udiag_ino and udiag_cookie with
values matching a live unix socket. And before that you have to add
more code to allow 'ss' dumping such values (or fetch them with some
bpf/perf probe).
>
> Ah, I misunderstood that the found sk is passed to sk_user_ns(), but it's
> skb->sk.
I did not double check the race you outlined in this patch. That could
still possibly be a valid/existing one.
> P.S. I'm leaving for Japan today and will be bit slow this and next week
> for vacation.
Have a nice trip ;)
/P
Powered by blists - more mailing lists