| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAADnVQJibNXGSxUnjb8q=vNNdJ7AOVm0Mq+1sQn9fdUMY0JPSA@mail.gmail.com>
Date: Wed, 9 Apr 2025 20:02:01 -0700
From: Alexei Starovoitov <alexei.starovoitov@...il.com>
To: Jiayuan Chen <jiayuan.chen@...ux.dev>
Cc: bpf <bpf@...r.kernel.org>, Jiayuan Chen <mrpre@....com>,
syzbot+dd90a702f518e0eac072@...kaller.appspotmail.com,
John Fastabend <john.fastabend@...il.com>, Jakub Sitnicki <jakub@...udflare.com>,
"David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>,
Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau <martin.lau@...ux.dev>,
Eduard Zingerman <eddyz87@...il.com>, Song Liu <song@...nel.org>,
Yonghong Song <yonghong.song@...ux.dev>, KP Singh <kpsingh@...nel.org>,
Stanislav Fomichev <sdf@...ichev.me>, Hao Luo <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>,
Mykola Lysenko <mykolal@...com>, Shuah Khan <shuah@...nel.org>, Michal Luczaj <mhal@...x.co>,
Cong Wang <cong.wang@...edance.com>, Network Development <netdev@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
"open list:KERNEL SELFTEST FRAMEWORK" <linux-kselftest@...r.kernel.org>
Subject: Re: [PATCH bpf-next v4 2/3] bpf, sockmap: avoid using sk_socket after
free when reading
On Tue, Apr 8, 2025 at 12:31 AM Jiayuan Chen <jiayuan.chen@...ux.dev> wrote:
>
> There are potential concurrency issues, as shown below.
> '''
> CPU0 CPU1
> sk_psock_verdict_data_ready:
> socket *sock = sk->sk_socket
> if (!sock) return
> close(fd):
> ...
> ops->release()
> if (!sock->ops) return
> sock->ops = NULL
> rcu_call(sock)
> free(sock)
> READ_ONCE(sock->ops)
> ^
> use 'sock' after free
> '''
>
> RCU is not applicable to Unix sockets read path, because the Unix socket
> implementation itself assumes it's always in process context and heavily
> uses mutex_lock, so, we can't call read_skb within rcu lock.
>
> Incrementing the psock reference count would not help either, since
> sock_map_close() does not wait for data_ready() to complete its execution.
>
> While we don't utilize sk_socket here, implementing read_skb at the sock
> layer instead of socket layer might be architecturally preferable ?
> However, deferring this optimization as current fix adequately addresses
> the immediate issue.
>
> Fixes: c63829182c37 ("af_unix: Implement ->psock_update_sk_prot()")
> Reported-by: syzbot+dd90a702f518e0eac072@...kaller.appspotmail.com
> Closes: https://lore.kernel.org/bpf/6734c033.050a0220.2a2fcc.0015.GAE@google.com/
> Signed-off-by: Jiayuan Chen <jiayuan.chen@...ux.dev>
> ---
> net/core/skmsg.c | 13 ++++++++++---
> 1 file changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/net/core/skmsg.c b/net/core/skmsg.c
> index 6101c1bb279a..5e913b62929e 100644
> --- a/net/core/skmsg.c
> +++ b/net/core/skmsg.c
> @@ -1231,17 +1231,24 @@ static int sk_psock_verdict_recv(struct sock *sk, struct sk_buff *skb)
>
> static void sk_psock_verdict_data_ready(struct sock *sk)
> {
> - struct socket *sock = sk->sk_socket;
> + struct socket *sock;
> const struct proto_ops *ops;
> int copied;
>
> trace_sk_data_ready(sk);
>
> - if (unlikely(!sock))
> + rcu_read_lock();
> + sock = sk->sk_socket;
> + if (unlikely(!sock)) {
> + rcu_read_unlock();
> return;
> + }
> ops = READ_ONCE(sock->ops);
> - if (!ops || !ops->read_skb)
> + if (!ops || !ops->read_skb) {
> + rcu_read_unlock();
> return;
> + }
> + rcu_read_unlock();
This makes no sense to me. RCU doesn't work this way.
pw-bot: cr
Powered by blists - more mailing lists