lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <acd7dda5-0e80-4bda-b484-55515aac8fd8@oracle.com>
Date: Sun, 14 Apr 2024 19:26:10 -0700
From: Rao Shoaib <rao.shoaib@...cle.com>
To: Kuniyuki Iwashima <kuniyu@...zon.com>,
        "David S. Miller" <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>
Cc: Kuniyuki Iwashima <kuni1840@...il.com>, netdev@...r.kernel.org
Subject: Re: [PATCH v2 net 1/2] af_unix: Call manage_oob() for every skb in
 unix_stream_read_generic().



On 4/10/24 10:10, Kuniyuki Iwashima wrote:
> When we call recv() for AF_UNIX socket, we first peek one skb and
> calls manage_oob() to check if the skb is sent with MSG_OOB.
> 
> However, when we fetch the next (and the following) skb, manage_oob()
> is not called now, leading a wrong behaviour.
> 
> Let's say a socket send()s "hello" with MSG_OOB and the peer tries
> to recv() 5 bytes with MSG_PEEK.  Here, we should get only "hell"
> without 'o', but actually not:
> 
>    >>> from socket import *
>    >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)
>    >>> c1.send(b'hello', MSG_OOB)
>    5
>    >>> c2.recv(5, MSG_PEEK)
>    b'hello'
> 
> The first skb fills 4 bytes, and the next skb is peeked but not
> properly checked by manage_oob().
> 
> Let's move up the again label to call manage_oob() for evry skb.
> 
> With this patch:
> 
>    >>> from socket import *
>    >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)
>    >>> c1.send(b'hello', MSG_OOB)
>    5
>    >>> c2.recv(5, MSG_PEEK)
>    b'hell'
> 
> Fixes: 314001f0bf92 ("af_unix: Add OOB support")
> Signed-off-by: Kuniyuki Iwashima <kuniyu@...zon.com>
> ---
>   net/unix/af_unix.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
> index d032eb5fa6df..f297320438bf 100644
> --- a/net/unix/af_unix.c
> +++ b/net/unix/af_unix.c
> @@ -2741,6 +2741,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state,
>   		last = skb = skb_peek(&sk->sk_receive_queue);
>   		last_len = last ? last->len : 0;
>   
> +again:
>   #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
>   		if (skb) {
>   			skb = manage_oob(skb, sk, flags, copied);
> @@ -2752,7 +2753,6 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state,
>   			}
>   		}
>   #endif
> -again:
>   		if (skb == NULL) {
>   			if (copied >= target)
>   				goto unlock;

Looks Good.

Reviewed-by: Rao shoaib <rao.shoaib@...cle.com>

Shoaib

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ