| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Dec 2023 20:25:19 -0800
From: Hyunwoo Kim <v4bel@...ori.io>
To: Rémi Denis-Courmont <remi@...lab.net>
Cc: courmisch@...il.com, imv4bel@...il.com, davem@...emloft.net,
edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
netdev@...r.kernel.org, v4bel@...ori.io
Subject: Re: [PATCH] net: phonet: Fix Use-After-Free in pep_recvmsg
Hi,
On Mon, Dec 04, 2023 at 09:12:11AM +0200, Rémi Denis-Courmont wrote:
> Hi,
>
> Le 4 décembre 2023 08:59:52 GMT+02:00, Hyunwoo Kim <v4bel@...ori.io> a écrit :
> >Because pep_recvmsg() fetches the skb from pn->ctrlreq_queue
> >without holding the lock_sock and then frees it,
> >a race can occur with pep_ioctl().
> >A use-after-free for a skb occurs with the following flow.
>
> Isn't this the same issue that was reported by Huawei rootlab and for which I already provided a pair of patches to the security list two months ago?
Is the issue reported to the security mailing list two months ago the same as this pn->ctrlreq_queue race?
>
> TBH, I much prefer the approach in the other patch set, which takes the hit on the ioctl() side rather than the recvmsg()'s.
That's probably a patch to add sk->sk_receive_queue.lock to pep_ioctl(), is that correct?
>
> Unfortunately, I have no visibility on what happened or didn't happen after that, since the security list is private.
Perhaps this issue hasn't gotten much attention.
Regards,
Hyunwoo Kim
>
> >```
> >pep_recvmsg() -> skb_dequeue() -> skb_free_datagram()
> >pep_ioctl() -> skb_peek()
> >```
> >Fix this by adjusting the scope of lock_sock in pep_recvmsg().
> >
> >Signed-off-by: Hyunwoo Kim <v4bel@...ori.io>
> >---
> > net/phonet/pep.c | 17 +++++++++++++----
> > 1 file changed, 13 insertions(+), 4 deletions(-)
> >
> >diff --git a/net/phonet/pep.c b/net/phonet/pep.c
> >index faba31f2eff2..212d8a9ddaee 100644
> >--- a/net/phonet/pep.c
> >+++ b/net/phonet/pep.c
> >@@ -1250,12 +1250,17 @@ static int pep_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
> > if (unlikely(1 << sk->sk_state & (TCPF_LISTEN | TCPF_CLOSE)))
> > return -ENOTCONN;
> >
> >+ lock_sock(sk);
> >+
> > if ((flags & MSG_OOB) || sock_flag(sk, SOCK_URGINLINE)) {
> > /* Dequeue and acknowledge control request */
> > struct pep_sock *pn = pep_sk(sk);
> >
> >- if (flags & MSG_PEEK)
> >+ if (flags & MSG_PEEK) {
> >+ release_sock(sk);
> > return -EOPNOTSUPP;
> >+ }
> >+
>
> Also this change is not really accounted for.
>
> > skb = skb_dequeue(&pn->ctrlreq_queue);
> > if (skb) {
> > pep_ctrlreq_error(sk, skb, PN_PIPE_NO_ERROR,
> >@@ -1263,12 +1268,14 @@ static int pep_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
> > msg->msg_flags |= MSG_OOB;
> > goto copy;
> > }
> >- if (flags & MSG_OOB)
> >+
> >+ if (flags & MSG_OOB) {
> >+ release_sock(sk);
> > return -EINVAL;
> >+ }
> > }
> >
> > skb = skb_recv_datagram(sk, flags, &err);
> >- lock_sock(sk);
> > if (skb == NULL) {
> > if (err == -ENOTCONN && sk->sk_state == TCP_CLOSE_WAIT)
> > err = -ECONNRESET;
> >@@ -1278,7 +1285,7 @@ static int pep_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
> >
> > if (sk->sk_state == TCP_ESTABLISHED)
> > pipe_grant_credits(sk, GFP_KERNEL);
> >- release_sock(sk);
> >+
> > copy:
> > msg->msg_flags |= MSG_EOR;
> > if (skb->len > len)
> >@@ -1291,6 +1298,8 @@ static int pep_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
> > err = (flags & MSG_TRUNC) ? skb->len : len;
> >
> > skb_free_datagram(sk, skb);
> >+
> >+ release_sock(sk);
> > return err;
> > }
> >
Powered by blists - more mailing lists