lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4366234.TZO2pnkceX@basile.remlab.net>
Date: Mon, 11 Dec 2023 18:47:47 +0200
From: Rémi Denis-Courmont <remi@...lab.net>
To: Hyunwoo Kim <v4bel@...ori.io>
Cc: courmisch@...il.com, imv4bel@...il.com, davem@...emloft.net,
 edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
 netdev@...r.kernel.org, v4bel@...ori.io
Subject: Re: [PATCH] net: phonet: Fix Use-After-Free in pep_recvmsg

Le keskiviikkona 6. joulukuuta 2023, 6.25.19 EET Hyunwoo Kim a écrit :
> Hi,
> 
> On Mon, Dec 04, 2023 at 09:12:11AM +0200, Rémi Denis-Courmont wrote:
> > Hi,
> > 
> > Le 4 décembre 2023 08:59:52 GMT+02:00, Hyunwoo Kim <v4bel@...ori.io> a 
écrit :
> > >Because pep_recvmsg() fetches the skb from pn->ctrlreq_queue
> > >without holding the lock_sock and then frees it,
> > >a race can occur with pep_ioctl().
> > >A use-after-free for a skb occurs with the following flow.
> > 
> > Isn't this the same issue that was reported by Huawei rootlab and for
> > which I already provided a pair of patches to the security list two
> > months ago?
> Is the issue reported to the security mailing list two months ago the same
> as this pn->ctrlreq_queue race?

No, it was another similar problem but the fixes did cover both, I think?

> > TBH, I much prefer the approach in the other patch set, which takes the
> > hit on the ioctl() side rather than the recvmsg()'s.
> That's probably a patch to add sk->sk_receive_queue.lock to pep_ioctl(), is
> that correct?

More or less

> > Unfortunately, I have no visibility on what happened or didn't happen
> > after that, since the security list is private.
> Perhaps this issue hasn't gotten much attention.

Quite possible, but now I'm between a rock and a hard place, because I don't 
know what's (not) going in the security mailing list. In my understanding, it 
was not really OK to bring the issue or post the patches on netdev :shrug:

-- 
雷米‧德尼-库尔蒙
http://www.remlab.net/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ