lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZTZ9XfPOXD4JXdjk@zx2c4.com>
Date: Mon, 23 Oct 2023 16:04:13 +0200
From: "Jason A. Donenfeld" <Jason@...c4.com>
To: Daniel Gröber <dxld@...kboxed.org>
Cc: "David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	wireguard@...ts.zx2c4.com, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] wireguard: Fix leaking sockets in wg_socket_init error
 paths

Hi,

The signed-off-by is missing and the subject does not match the format
of any other wireguard commits.

On Mon, Oct 23, 2023 at 03:06:09PM +0200, Daniel Gröber wrote:
> This doesn't seem to be reachable normally, but while working on a patch

"Normally" as in what? At all? Or?

> for the address binding code I ended up triggering this leak and had to
> reboot to get rid of the leaking wg sockets.

This commit message doesn't describe any rationale for this patch. Can
you describe the bug?

> ---
>  drivers/net/wireguard/socket.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/wireguard/socket.c b/drivers/net/wireguard/socket.c
> index 0414d7a6ce74..c35163f503e7 100644
> --- a/drivers/net/wireguard/socket.c
> +++ b/drivers/net/wireguard/socket.c
> @@ -387,7 +387,7 @@ int wg_socket_init(struct wg_device *wg, u16 port)
>  	ret = udp_sock_create(net, &port4, &new4);
>  	if (ret < 0) {
>  		pr_err("%s: Could not create IPv4 socket\n", wg->dev->name);
> -		goto out;
> +		goto err;

`new4` is either NULL or has already been freed here in the `goto retry`
case. `new6` is NULL here.

>  	}
>  	set_sock_opts(new4);
>  	setup_udp_tunnel_sock(net, new4, &cfg);
> @@ -402,7 +402,7 @@ int wg_socket_init(struct wg_device *wg, u16 port)
>  				goto retry;
>  			pr_err("%s: Could not create IPv6 socket\n",
>  			       wg->dev->name);
> -			goto out;
> +			goto err;

`new4` has just been freed by `udp_tunnel_sock_release` just above the
context. `new6` is NULL.

>  		}
>  		set_sock_opts(new6);
>  		setup_udp_tunnel_sock(net, new6, &cfg);
> @@ -414,6 +414,11 @@ int wg_socket_init(struct wg_device *wg, u16 port)
>  out:
>  	put_net(net);
>  	return ret;
> +
> +err:
> +	sock_free(new4 ? new4->sk : NULL);
> +	sock_free(new6 ? new6->sk : NULL);
> +	goto out;
>  }
>  
>  void wg_socket_reinit(struct wg_device *wg, struct sock *new4,

I don't see the bug. If there is one, maybe try again with a real patch
that describes it better. If there isn't one, what is the point?

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ