lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 Nov 2022 17:37:04 +0800 From: Wei Chen <harperchen1110@...il.com> To: Paolo Abeni <pabeni@...hat.com> Cc: Kuniyuki Iwashima <kuniyu@...zon.com>, davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, kuni1840@...il.com, netdev@...r.kernel.org, syzkaller@...glegroups.com Subject: Re: [PATCH v1 net] af_unix: Call sk_diag_fill() under the bucket lock. Dear Linux developers, My step tracing over Linux found the following C program would trigger the reported crash. I hope it is helpful for bug fix. #include <errno.h> #include <stdio.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <sys/un.h> #include <linux/netlink.h> #include <linux/rtnetlink.h> #include <linux/sock_diag.h> #include <linux/unix_diag.h> #include <linux/stat.h> #include <sys/types.h> #include <sys/stat.h> int main(void) { int fd1 = socket(AF_UNIX, SOCK_STREAM, 0); struct stat file_stat; fstat(fd1, &file_stat); int fd2 = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG); struct sockaddr_nl nladdr = { .nl_family = AF_NETLINK }; struct { struct nlmsghdr nlh; struct unix_diag_req udr; } req = { .nlh = { .nlmsg_len = sizeof(req), .nlmsg_type = SOCK_DIAG_BY_FAMILY, .nlmsg_flags = NLM_F_REQUEST }, .udr = { .sdiag_family = AF_UNIX, .udiag_states = -1, .udiag_ino = file_stat.st_ino, .udiag_show = 0x40 } }; struct iovec iov = { .iov_base = &req, .iov_len = sizeof(req) }; struct msghdr msg = { .msg_name = &nladdr, .msg_namelen = sizeof(nladdr), .msg_iov = &iov, .msg_iovlen = 1 }; sendmsg(fd2, &msg, 0); return 0; } Best, Wei On Wed, 23 Nov 2022 at 23:38, Paolo Abeni <pabeni@...hat.com> wrote: > > On Wed, 2022-11-23 at 07:22 -0800, Kuniyuki Iwashima wrote: > > From: Wei Chen <harperchen1110@...il.com> > > Date: Wed, 23 Nov 2022 23:09:53 +0800 > > > Dear Paolo, > > > > > > Could you explain the meaning of modified "ss" version to reproduce > > > the bug? I'd like to learn how to reproduce the bug in the user space > > > to facilitate the bug fix. > > > > I think it means to drop NLM_F_DUMP and modify args as needed because > > ss dumps all sockets, not exactly a single socket. > > Exactly! Additionally 'ss' must fill udiag_ino and udiag_cookie with > values matching a live unix socket. And before that you have to add > more code to allow 'ss' dumping such values (or fetch them with some > bpf/perf probe). > > > > > Ah, I misunderstood that the found sk is passed to sk_user_ns(), but it's > > skb->sk. > > I did not double check the race you outlined in this patch. That could > still possibly be a valid/existing one. > > > P.S. I'm leaving for Japan today and will be bit slow this and next week > > for vacation. > > Have a nice trip ;) > > /P >
Powered by blists - more mailing lists