lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <498a6aad-3b53-4918-975e-3827f8230bd0@stuba.sk>
Date: Mon, 15 Jul 2024 14:49:24 +0200
From: Matus Jokay <matus.jokay@...ba.sk>
To: Jens Axboe <axboe@...nel.dk>, Jakub Kicinski <kuba@...nel.org>
Cc: Gabriel Krisman Bertazi <krisman@...e.de>, io-uring@...r.kernel.org,
 netdev@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH v2 1/4] net: Split a __sys_bind helper for io_uring

On 19. 6. 2024 17:06, Jens Axboe wrote:
> On 6/19/24 9:04 AM, Jakub Kicinski wrote:
>> On Wed, 19 Jun 2024 07:40:40 -0600 Jens Axboe wrote:
>>> On 6/18/24 6:49 PM, Jakub Kicinski wrote:
>>>> On Fri, 14 Jun 2024 12:30:44 -0400 Gabriel Krisman Bertazi wrote:  
>>>>> io_uring holds a reference to the file and maintains a
>>>>> sockaddr_storage address.  Similarly to what was done to
>>>>> __sys_connect_file, split an internal helper for __sys_bind in
>>>>> preparation to supporting an io_uring bind command.
>>>>>
>>>>> Reviewed-by: Jens Axboe <axboe@...nel.dk>
>>>>> Signed-off-by: Gabriel Krisman Bertazi <krisman@...e.de>  
>>>>
>>>> Acked-by: Jakub Kicinski <kuba@...nel.org>  
>>>
>>> Are you fine with me queueing up 1-2 via the io_uring branch?
>>> I'm guessing the risk of conflict should be very low, so doesn't
>>> warrant a shared branch.
>>
>> Yup, exactly, these can go via io_uring without branch juggling.
> 
> Great thanks!
> 
Please fix io_bind and io_listen to not pass NULL ptr to related helpers
__sys_bind_socket and __sys_listen_socket. The first helper's argument
shouldn't be NULL, as related security hooks expect a valid socket object.

See the syzkaller's bug report:
https://lore.kernel.org/linux-security-module/0000000000007b7ce6061d1caec0@google.com/

Thanks,
mY

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ