[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANn89iJhhUqg-jgvwNz6QFHWjC7GbC87q3HcudmMPYx_gxHc2w@mail.gmail.com>
Date: Thu, 2 May 2024 09:41:22 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Kuniyuki Iwashima <kuniyu@...zon.com>
Cc: "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>, David Ahern <dsahern@...nel.org>,
Anderson Nascimento <anderson@...elesecurity.com>, Kuniyuki Iwashima <kuni1840@...il.com>, netdev@...r.kernel.org
Subject: Re: [PATCH v1 net] tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().
On Wed, May 1, 2024 at 11:32 PM Kuniyuki Iwashima <kuniyu@...zon.com> wrote:
>
> Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique()
> with nice analysis.
>
> Since commit ec94c2696f0b ("tcp/dccp: avoid one atomic operation for
> timewait hashdance"), inet_twsk_hashdance() sets TIME-WAIT socket's
> sk_refcnt after putting it into ehash and releasing the bucket lock.
>
> Thus, there is a small race window where other threads could try to
> reuse the port during connect() and call sock_hold() in tcp_twsk_unique()
> for the TIME-WAIT socket with zero refcnt.
>
> If that happens, the refcnt taken by tcp_twsk_unique() is overwritten
> and sock_put() will cause underflow, triggering a real use-after-free
> somewhere else.
>
> To avoid the use-after-free, we need to use refcount_inc_not_zero() in
> tcp_twsk_unique() and give up on reusing the port if it returns false.
>
...
> Fixes: ec94c2696f0b ("tcp/dccp: avoid one atomic operation for timewait hashdance")
> Reported-by: Anderson Nascimento <anderson@...elesecurity.com>
> Closes: https://lore.kernel.org/netdev/37a477a6-d39e-486b-9577-3463f655a6b7@allelesecurity.com/
> Suggested-by: Eric Dumazet <edumazet@...gle.com>
> Signed-off-by: Kuniyuki Iwashima <kuniyu@...zon.com>
Reviewed-by: Eric Dumazet <edumazet@...gle.com>
Thanks
Powered by blists - more mailing lists