lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241213092152.14057-1-kuniyu@amazon.com>
Date: Fri, 13 Dec 2024 18:21:37 +0900
From: Kuniyuki Iwashima <kuniyu@...zon.com>
To: "David S. Miller" <davem@...emloft.net>, Eric Dumazet
	<edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni
	<pabeni@...hat.com>, Simon Horman <horms@...nel.org>
CC: Kuniyuki Iwashima <kuniyu@...zon.com>, Kuniyuki Iwashima
	<kuni1840@...il.com>, <netdev@...r.kernel.org>
Subject: [PATCH v3 net-next 00/15] treewide: socket: Clean up sock_create() and friends.

There are a bunch of weird usages of sock_create() and friends due
to poor documentation.

  1) some subsystems use __sock_create(), but all of them can be
     replaced with sock_create_kern()

  2) some subsystems use sock_create(), but most of the sockets are
     not tied to userspace processes nor exposed via file descriptors
     but are (most likely unintentionally) exposed to some BPF hooks
     (infiniband, ISDN, NVMe over TCP, iscsi, Xen PV call, ocfs2, smbd)

  3) some subsystems use sock_create_kern() and convert the sockets
     to hold netns refcnt (cifs, mptcp, rds, smc, and sunrpc)

The primary goal is to sort out such confusion and provide enough
documentation for future developers to choose an appropriate API.

Regarding 3), we introduce a new API, sock_create_net(), that holds
a netns refcnt for kernel socket to remove the socket conversion to
avoid use-after-free triggered by TCP kernel socket after commit
26abe14379f8 ("net: Modify sk_alloc to not reference count the netns
of kernel sockets.").

Finally, we rename sock_create() and sock_create_kern() to
sock_create_user() and sock_create_net_noref(), respectively.
This intentionally breaks out-of-tree drivers to give the owners
a chance to choose an appropriate API.

Throughout the series, we follow the definition below:

  userspace socket:
    * created by sock_create_user()
    * holds the reference count of the network namespace
    * directly linked to a file descriptor
      * currently all sockets created by sane sock_create() users
        are tied to userspace process and exposed via file descriptors
    * accessed via a file descriptor (and some BPF hooks except
      for BPF LSM)

  kernel socket
    * created by sock_create_net() or sock_create_net_noref()
      * the former holds the refcnt of netns, but the latter doesn't
    * not directly exposed to userspace via a file descriptor nor BPF
      except for BPF LSM

Note that __sock_create(kern=1) skips some LSMs (SELinux, AppArmor)
but not all; BPF LSM can enforce security regardless of the argument.

Since this refactoring is huge, there will be a concern that
the series could make the future backport difficult.  However,
socket() / accept() / sk_alloc() paths are unlikely to have many
bugs and backports.  For example, net/socket.c has few backports
and only 631083143315 touches __sock_create() in 6.1 and 6.6.

  $ for v in 6.12 6.6 6.1 5.15 5.10 5.4; \
  do \
    echo "$v : $(git log --oneline stable/linux-$v.y...v$v -- net/socket.c | wc -l)"; \
  done
  6.12 : 0
  6.6 : 7
  6.1 : 13
  5.15 : 8
  5.10 : 13
  5.4 : 13


Changes:
  v3:
    * Drop /proc/net/sockstat patch
    * Add a patch to make sock_inuse_add() static

  v2: https://lore.kernel.org/netdev/20241210073829.62520-1-kuniyu@amazon.com/
    * Patch 8
      * Fix build error for PF_IUCV
    * Patch 12
      * Collect Acked-by from MPTCP/RDS maintainers

  v1: https://lore.kernel.org/netdev/20241206075504.24153-1-kuniyu@amazon.com/


Kuniyuki Iwashima (15):
  socket: Un-export __sock_create().
  socket: Pass hold_net flag to __sock_create().
  smc: Pass kern to smc_sock_alloc().
  socket: Pass hold_net to struct net_proto_family.create().
  ppp: Pass hold_net to struct pppox_proto.create().
  nfc: Pass hold_net to struct nfc_protocol.create().
  socket: Add hold_net flag to struct proto_accept_arg.
  socket: Pass hold_net to sk_alloc().
  socket: Respect hold_net in sk_alloc().
  socket: Introduce sock_create_net().
  socket: Remove kernel socket conversion.
  socket: Move sock_inuse_add() to sock.c.
  socket: Use sock_create_net() instead of sock_create().
  socket: Rename sock_create() to sock_create_user().
  socket: Rename sock_create_kern() to sock_create_net_noref().

 crypto/af_alg.c                               |   7 +-
 drivers/block/drbd/drbd_receiver.c            |  12 +-
 drivers/infiniband/hw/erdma/erdma_cm.c        |   6 +-
 drivers/infiniband/sw/rxe/rxe_qp.c            |   2 +-
 drivers/infiniband/sw/siw/siw_cm.c            |   6 +-
 drivers/isdn/mISDN/l1oip_core.c               |   3 +-
 drivers/isdn/mISDN/socket.c                   |  17 +-
 drivers/net/ppp/pppoe.c                       |   5 +-
 drivers/net/ppp/pppox.c                       |   4 +-
 drivers/net/ppp/pptp.c                        |   5 +-
 drivers/net/tap.c                             |   2 +-
 drivers/net/tun.c                             |   2 +-
 drivers/nvme/host/tcp.c                       |   5 +-
 drivers/nvme/target/tcp.c                     |   5 +-
 drivers/soc/qcom/qmi_interface.c              |   4 +-
 drivers/target/iscsi/iscsi_target_login.c     |   7 +-
 drivers/xen/pvcalls-back.c                    |   7 +-
 drivers/xen/pvcalls-front.c                   |   3 +-
 fs/afs/rxrpc.c                                |   3 +-
 fs/dlm/lowcomms.c                             |   8 +-
 fs/ocfs2/cluster/tcp.c                        |  10 +-
 fs/smb/client/connect.c                       |  13 +-
 fs/smb/server/transport_tcp.c                 |   7 +-
 include/linux/if_pppox.h                      |   3 +-
 include/linux/net.h                           |  11 +-
 include/net/bluetooth/bluetooth.h             |   3 +-
 include/net/llc_conn.h                        |   2 +-
 include/net/sctp/structs.h                    |   2 +-
 include/net/sock.h                            |  12 +-
 io_uring/net.c                                |   2 +
 net/9p/trans_fd.c                             |   8 +-
 net/appletalk/ddp.c                           |   4 +-
 net/atm/common.c                              |   5 +-
 net/atm/common.h                              |   3 +-
 net/atm/pvc.c                                 |   4 +-
 net/atm/svc.c                                 |   8 +-
 net/ax25/af_ax25.c                            |   7 +-
 net/bluetooth/af_bluetooth.c                  |   9 +-
 net/bluetooth/bnep/sock.c                     |   5 +-
 net/bluetooth/cmtp/sock.c                     |   4 +-
 net/bluetooth/hci_sock.c                      |   4 +-
 net/bluetooth/hidp/sock.c                     |   5 +-
 net/bluetooth/iso.c                           |  11 +-
 net/bluetooth/l2cap_sock.c                    |  14 +-
 net/bluetooth/rfcomm/core.c                   |   3 +-
 net/bluetooth/rfcomm/sock.c                   |  12 +-
 net/bluetooth/sco.c                           |  11 +-
 net/bpf/test_run.c                            |   2 +-
 net/caif/caif_socket.c                        |   4 +-
 net/can/af_can.c                              |   4 +-
 net/ceph/messenger.c                          |   6 +-
 net/core/sock.c                               |  19 ++-
 net/handshake/handshake-test.c                |  33 ++--
 net/ieee802154/socket.c                       |   4 +-
 net/ipv4/af_inet.c                            |   7 +-
 net/ipv4/udp_tunnel_core.c                    |   2 +-
 net/ipv6/af_inet6.c                           |   4 +-
 net/ipv6/ip6_udp_tunnel.c                     |   4 +-
 net/iucv/af_iucv.c                            |  13 +-
 net/kcm/kcmsock.c                             |   6 +-
 net/key/af_key.c                              |   4 +-
 net/l2tp/l2tp_core.c                          |   8 +-
 net/l2tp/l2tp_ppp.c                           |   6 +-
 net/llc/af_llc.c                              |   6 +-
 net/llc/llc_conn.c                            |  11 +-
 net/mctp/af_mctp.c                            |   4 +-
 net/mctp/test/route-test.c                    |   6 +-
 net/mptcp/pm_netlink.c                        |   4 +-
 net/mptcp/subflow.c                           |  12 +-
 net/netfilter/ipvs/ip_vs_sync.c               |   8 +-
 net/netlink/af_netlink.c                      |  11 +-
 net/netrom/af_netrom.c                        |   7 +-
 net/nfc/af_nfc.c                              |   5 +-
 net/nfc/llcp.h                                |   3 +-
 net/nfc/llcp_core.c                           |   3 +-
 net/nfc/llcp_sock.c                           |  10 +-
 net/nfc/nfc.h                                 |   3 +-
 net/nfc/rawsock.c                             |   5 +-
 net/packet/af_packet.c                        |   4 +-
 net/phonet/af_phonet.c                        |   4 +-
 net/phonet/pep.c                              |   2 +-
 net/qrtr/af_qrtr.c                            |   4 +-
 net/qrtr/ns.c                                 |   6 +-
 net/rds/af_rds.c                              |   4 +-
 net/rds/tcp.c                                 |  14 --
 net/rds/tcp_connect.c                         |  21 ++-
 net/rds/tcp_listen.c                          |  17 +-
 net/rose/af_rose.c                            |  11 +-
 net/rxrpc/af_rxrpc.c                          |   4 +-
 net/rxrpc/rxperf.c                            |   4 +-
 net/sctp/ipv6.c                               |   7 +-
 net/sctp/protocol.c                           |   7 +-
 net/sctp/socket.c                             |   6 +-
 net/smc/af_smc.c                              |  38 ++---
 net/smc/smc_inet.c                            |   2 +-
 net/socket.c                                  | 145 +++++++++++++-----
 net/sunrpc/clnt.c                             |   4 +-
 net/sunrpc/svcsock.c                          |  12 +-
 net/sunrpc/xprtsock.c                         |  16 +-
 net/tipc/socket.c                             |   8 +-
 net/tipc/topsrv.c                             |   4 +-
 net/unix/af_unix.c                            |  17 +-
 net/vmw_vsock/af_vsock.c                      |  10 +-
 net/wireless/nl80211.c                        |   4 +-
 net/x25/af_x25.c                              |  13 +-
 net/xdp/xsk.c                                 |   4 +-
 .../selftests/bpf/bpf_testmod/bpf_testmod.c   |   4 +-
 107 files changed, 512 insertions(+), 403 deletions(-)

-- 
2.39.5 (Apple Git-154)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ