[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4366234.TZO2pnkceX@basile.remlab.net>
Date: Mon, 11 Dec 2023 18:47:47 +0200
From: Rémi Denis-Courmont <remi@...lab.net>
To: Hyunwoo Kim <v4bel@...ori.io>
Cc: courmisch@...il.com, imv4bel@...il.com, davem@...emloft.net,
edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
netdev@...r.kernel.org, v4bel@...ori.io
Subject: Re: [PATCH] net: phonet: Fix Use-After-Free in pep_recvmsg
Le keskiviikkona 6. joulukuuta 2023, 6.25.19 EET Hyunwoo Kim a écrit :
> Hi,
>
> On Mon, Dec 04, 2023 at 09:12:11AM +0200, Rémi Denis-Courmont wrote:
> > Hi,
> >
> > Le 4 décembre 2023 08:59:52 GMT+02:00, Hyunwoo Kim <v4bel@...ori.io> a
écrit :
> > >Because pep_recvmsg() fetches the skb from pn->ctrlreq_queue
> > >without holding the lock_sock and then frees it,
> > >a race can occur with pep_ioctl().
> > >A use-after-free for a skb occurs with the following flow.
> >
> > Isn't this the same issue that was reported by Huawei rootlab and for
> > which I already provided a pair of patches to the security list two
> > months ago?
> Is the issue reported to the security mailing list two months ago the same
> as this pn->ctrlreq_queue race?
No, it was another similar problem but the fixes did cover both, I think?
> > TBH, I much prefer the approach in the other patch set, which takes the
> > hit on the ioctl() side rather than the recvmsg()'s.
> That's probably a patch to add sk->sk_receive_queue.lock to pep_ioctl(), is
> that correct?
More or less
> > Unfortunately, I have no visibility on what happened or didn't happen
> > after that, since the security list is private.
> Perhaps this issue hasn't gotten much attention.
Quite possible, but now I'm between a rock and a hard place, because I don't
know what's (not) going in the security mailing list. In my understanding, it
was not really OK to bring the issue or post the patches on netdev :shrug:
--
雷米‧德尼-库尔蒙
http://www.remlab.net/
Powered by blists - more mailing lists