lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20230525170653.99846-1-kuniyu@amazon.com>
Date: Thu, 25 May 2023 10:06:53 -0700
From: Kuniyuki Iwashima <kuniyu@...zon.com>
To: <fw@...len.de>
CC: <davem@...emloft.net>, <edumazet@...gle.com>, <kuba@...nel.org>,
	<kuni1840@...il.com>, <kuniyu@...zon.com>, <netdev@...r.kernel.org>,
	<pabeni@...hat.com>, <syzbot+444ca0907e96f7c5e48b@...kaller.appspotmail.com>
Subject: Re: [PATCH v1 net] udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().

From: Florian Westphal <fw@...len.de>
Date: Thu, 25 May 2023 18:33:42 +0200
> Kuniyuki Iwashima <kuniyu@...zon.com> wrote:
> > > I'd remove it in -next.  Same for DCCP.
> > 
> > Ok, I'll do for UDP Lite.
> 
> Thanks.
> 
> > +1 for DCCP, but we know there are real?
> > still experimenting? users ... ?
> 
> Yes, and they can continue to work on their out of tree fork
> and research projects, no problem.
> 
> I'd say next time some net/core change needs dccp changes,
> remove dccp first (or mark it as CONFIG_BROKEN) so it doesn't
> cause extra work.

FWIW, I was going to post such a patch that removes .twsk_unique
and .twsk_destructor handler in timewait_sock_ops, which is only
used by TCP but exists just because DCCP shares the struct.


> DCCP can be brought back when someone has interest to maintain it.
> 
> Looking at DCCP patches its either:
> 1. odd syzbot fixes
> 2. api changes in net that need folloup changes in dccp
> 3. automated transformations
> 
> There is no sign that anyone is maintaining this (or running it
> in a production environment...).

Exactly.  It's now kind of bleeding ground of CVE.

Actualy, we disable CONFIG_IP_DCCP for our latest distribution (AL2023)
for the reason, and RHEL 7.8+ also prevents the module from being loaded
by default.

If there's no objection, I can remove it after UDP Lite.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.8_release_notes/deprecated_functionality#automatic_loading_of_dccp_modules_through_socket_layer_is_now_disabled_by_default

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ