lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <fdd655490688410497d82ff3d38da093@AcuMS.aculab.com>
Date: Thu, 29 Feb 2024 21:51:34 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'Kuniyuki Iwashima' <kuniyu@...zon.com>, "David S. Miller"
	<davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski
	<kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Allison Henderson
	<allison.henderson@...cle.com>
CC: Kuniyuki Iwashima <kuni1840@...il.com>, "netdev@...r.kernel.org"
	<netdev@...r.kernel.org>, "linux-rdma@...r.kernel.org"
	<linux-rdma@...r.kernel.org>, "rds-devel@....oracle.com"
	<rds-devel@....oracle.com>
Subject: RE: [PATCH v2 net 3/5] net: Convert @kern of __sock_create() to enum.

From: Kuniyuki Iwashima
> Sent: 27 February 2024 01:11
> Subject: [PATCH v2 net 3/5] net: Convert @kern of __sock_create() to enum.

Should probably be (something like):
	Allow __sock_create() create kernel sockets that hold a reference
	to the network namespace.

> Historically, syzbot has reported many use-after-free of struct
> net by kernel sockets.
> 
> In most cases, the root cause was a timer kicked by a kernel socket
> which does not hold netns refcount nor clean it up during netns
> dismantle.
> 
> This patch converts the @kern argument of __sock_create() to enum
> so that we can pass SOCKET_KERN_NET_REF and later sk_alloc() can
> hold refcount of net for kernel sockets.

I think you should add a 'hold netns' parameter to sock_create_kern().
Indeed, that is likely to be used for a real connection
(which would need the 'hold netns') and code that doesn't need it
(because the socket is some internal housekeeping socket) could
directly call __sock_create().

Fortunately both functions are exported non-gpl.

I've this comment in a driver...

    /* sock_create_kern() creates a socket that doesn't hold a reference
     * to the namespace (they get used for sockets needed by the protocol
     * stack code itself).
     * We need a socket that holds a reference to the namespace, so create
     * a 'user' socket in a specific namespace.
     * This adds an extra security check which we should pass because all the
     * sockets are created by kernel threads.
     */
    rval = __sock_create(net, family, type, protocol, sockp, 0);


	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ