| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89iLEANNvZ45PaPL8miZeyMUTAcLoVR4WS55gbtfiMPbueQ@mail.gmail.com>
Date: Tue, 21 Nov 2023 09:08:49 +0100
From: Eric Dumazet <edumazet@...gle.com>
To: Dmitry Safonov <dima@...sta.com>
Cc: David Ahern <dsahern@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Jakub Kicinski <kuba@...nel.org>, "David S. Miller" <davem@...emloft.net>, linux-kernel@...r.kernel.org,
Dmitry Safonov <0x7f454c46@...il.com>, Francesco Ruggeri <fruggeri05@...il.com>,
Salam Noureddine <noureddine@...sta.com>, Simon Horman <horms@...nel.org>, netdev@...r.kernel.org
Subject: Re: [PATCH 6/7] net/tcp: ACCESS_ONCE() on snd/rcv SNEs
On Tue, Nov 21, 2023 at 3:01 AM Dmitry Safonov <dima@...sta.com> wrote:
>
> SNEs need READ_ONCE()/WRITE_ONCE() for access as they can be written and
> read at the same time.
>
> This is actually a shame: I planned to send it in TCP-AO patches, but
> it seems I've chosen a wrong commit to git-commit-fixup some time ago.
> It ended up in a commit that adds a selftest. Human factor.
>
> Fixes: 64382c71a557 ("net/tcp: Add TCP-AO SNE support")
> Signed-off-by: Dmitry Safonov <dima@...sta.com>
> ---
> net/ipv4/tcp_ao.c | 4 ++--
> net/ipv4/tcp_input.c | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
> index 122ff58168ee..9b7f1970c2e9 100644
> --- a/net/ipv4/tcp_ao.c
> +++ b/net/ipv4/tcp_ao.c
> @@ -956,8 +956,8 @@ tcp_inbound_ao_hash(struct sock *sk, const struct sk_buff *skb,
> if (unlikely(th->syn && !th->ack))
> goto verify_hash;
>
> - sne = tcp_ao_compute_sne(info->rcv_sne, tcp_sk(sk)->rcv_nxt,
> - ntohl(th->seq));
> + sne = tcp_ao_compute_sne(READ_ONCE(info->rcv_sne),
> + tcp_sk(sk)->rcv_nxt, ntohl(th->seq));
I think this is a wrong fix. Something is definitely fishy here.
Update side should only happen for an established socket ?
And the read side should have locked the socket before calling
tcp_inbound_ao_hash(),
otherwise reading other fields (like tcp_sk(sk)->rcv_nxt) would be racy anyway.
> /* Established socket, traffic key are cached */
> traffic_key = rcv_other_key(key);
> err = tcp_ao_verify_hash(sk, skb, family, info, aoh, key,
> diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
> index bcb55d98004c..78896c8be0d4 100644
> --- a/net/ipv4/tcp_input.c
> +++ b/net/ipv4/tcp_input.c
tcp_snd_sne_update() definitely only deals with full sockets
(TCP_AO_ESTABLISHED)
> @@ -3583,7 +3583,7 @@ static void tcp_snd_sne_update(struct tcp_sock *tp, u32 ack)
> ao = rcu_dereference_protected(tp->ao_info,
> lockdep_sock_is_held((struct sock *)tp));
> if (ao && ack < tp->snd_una)
> - ao->snd_sne++;
> + WRITE_ONCE(ao->snd_sne, ao->snd_sne + 1);
> #endif
> }
>
> @@ -3609,7 +3609,7 @@ static void tcp_rcv_sne_update(struct tcp_sock *tp, u32 seq)
> ao = rcu_dereference_protected(tp->ao_info,
> lockdep_sock_is_held((struct sock *)tp));
> if (ao && seq < tp->rcv_nxt)
> - ao->rcv_sne++;
> + WRITE_ONCE(ao->rcv_sne, ao->rcv_sne + 1);
> #endif
> }
>
> --
> 2.42.0
>
Powered by blists - more mailing lists