| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAG48ez1hXk_cffp3dy-bYMcoyCCj-EySYR5SzYrNiRHGD=hOUg@mail.gmail.com> Date: Tue, 5 Dec 2023 18:08:29 +0100 From: Jann Horn <jannh@...gle.com> To: Pablo Neira Ayuso <pablo@...filter.org>, Jozsef Kadlecsik <kadlec@...filter.org>, Florian Westphal <fw@...len.de>, netfilter-devel <netfilter-devel@...r.kernel.org>, coreteam@...filter.org Cc: Christian Brauner <brauner@...nel.org>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Network Development <netdev@...r.kernel.org>, kernel list <linux-kernel@...r.kernel.org> Subject: Re: Is xt_owner's owner_mt() racy with sock_orphan()? [worse with new TYPESAFE_BY_RCU file lifetime?] On Tue, Dec 5, 2023 at 5:40 PM Jann Horn <jannh@...gle.com> wrote: > > Hi! > > I think this code is racy, but testing that seems like a pain... > > owner_mt() in xt_owner runs in context of a NF_INET_LOCAL_OUT or > NF_INET_POST_ROUTING hook. It first checks that sk->sk_socket is > non-NULL, then checks that sk->sk_socket->file is non-NULL, then > accesses the ->f_cred of that file. > > I don't see anything that protects this against a concurrent > sock_orphan(), which NULLs out the sk->sk_socket pointer, if we're in Ah, and all the other users of ->sk_socket in net/netfilter/ do it under the sk_callback_lock... so I guess the fix would be to add the same in owner_mt?
Powered by blists - more mailing lists