| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 Mar 2023 15:00:52 -0800
From: Kuniyuki Iwashima <kuniyu@...zon.com>
To: <edumazet@...gle.com>
CC: <davem@...emloft.net>, <eric.dumazet@...il.com>, <kuba@...nel.org>,
<kuniyu@...zon.com>, <netdev@...r.kernel.org>, <pabeni@...hat.com>,
<rao.shoaib@...cle.com>,
<syzbot+7699d9e5635c10253a27@...kaller.appspotmail.com>
Subject: Re: [PATCH net] af_unix: fix struct pid leaks in OOB support
From: Eric Dumazet <edumazet@...gle.com>
Date: Tue, 7 Mar 2023 16:45:30 +0000
> syzbot reported struct pid leak [1].
>
> Issue is that queue_oob() calls maybe_add_creds() which potentially
> holds a reference on a pid.
>
> But skb->destructor is not set (either directly or by calling
> unix_scm_to_skb())
>
> This means that subsequent kfree_skb() or consume_skb() would leak
> this reference.
>
> In this fix, I chose to fully support scm even for the OOB message.
>
> [1]
> BUG: memory leak
> unreferenced object 0xffff8881053e7f80 (size 128):
> comm "syz-executor242", pid 5066, jiffies 4294946079 (age 13.220s)
> hex dump (first 32 bytes):
> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<ffffffff812ae26a>] alloc_pid+0x6a/0x560 kernel/pid.c:180
> [<ffffffff812718df>] copy_process+0x169f/0x26c0 kernel/fork.c:2285
> [<ffffffff81272b37>] kernel_clone+0xf7/0x610 kernel/fork.c:2684
> [<ffffffff812730cc>] __do_sys_clone+0x7c/0xb0 kernel/fork.c:2825
> [<ffffffff849ad699>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> [<ffffffff849ad699>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
> [<ffffffff84a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
> Fixes: 314001f0bf92 ("af_unix: Add OOB support")
> Reported-by: syzbot+7699d9e5635c10253a27@...kaller.appspotmail.com
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@...zon.com>
Thanks!
> Cc: Rao Shoaib <rao.shoaib@...cle.com>
> Cc: Kuniyuki Iwashima <kuniyu@...zon.com>
> ---
> net/unix/af_unix.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
> index 347122c3575eaae597405369e2e9d8324d6ad240..0b0f18ecce4470d6fd21c084a3ea49e04dcbb9bd 100644
> --- a/net/unix/af_unix.c
> +++ b/net/unix/af_unix.c
> @@ -2105,7 +2105,8 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
> #define UNIX_SKB_FRAGS_SZ (PAGE_SIZE << get_order(32768))
>
> #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
> -static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other)
> +static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other,
> + struct scm_cookie *scm, bool fds_sent)
> {
> struct unix_sock *ousk = unix_sk(other);
> struct sk_buff *skb;
> @@ -2116,6 +2117,11 @@ static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other
> if (!skb)
> return err;
>
> + err = unix_scm_to_skb(scm, skb, !fds_sent);
> + if (err < 0) {
> + kfree_skb(skb);
> + return err;
> + }
> skb_put(skb, 1);
> err = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, 1);
>
> @@ -2243,7 +2249,7 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg,
>
> #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
> if (msg->msg_flags & MSG_OOB) {
> - err = queue_oob(sock, msg, other);
> + err = queue_oob(sock, msg, other, &scm, fds_sent);
> if (err)
> goto out_err;
> sent++;
> --
> 2.40.0.rc0.216.gc4246ad0f0-goog
Powered by blists - more mailing lists