| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f99f4631-f58b-425d-b671-717b63bb45f3@redhat.com>
Date: Wed, 28 May 2025 13:40:28 +0200
From: Paolo Abeni <pabeni@...hat.com>
To: Kuniyuki Iwashima <kuniyu@...zon.com>,
"David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Willem de Bruijn <willemb@...gle.com>
Cc: Simon Horman <horms@...nel.org>, Christian Brauner <brauner@...nel.org>,
Kuniyuki Iwashima <kuni1840@...il.com>, netdev@...r.kernel.org
Subject: Re: [PATCH v5 net-next 0/9] af_unix: Introduce SO_PASSRIGHTS.
On 5/19/25 10:57 PM, Kuniyuki Iwashima wrote:
> As long as recvmsg() or recvmmsg() is used with cmsg, it is not
> possible to avoid receiving file descriptors via SCM_RIGHTS.
>
> This series introduces a new socket option, SO_PASSRIGHTS, to allow
> disabling SCM_RIGHTS. The option is enabled by default.
>
> See patch 8 for background/context.
>
> This series is related to [0], but is split into a separate series,
> as most of the patches are specific to af_unix.
>
> The v2 of the BPF LSM extension part will be posted later, once
> this series is merged into net-next and has landed in bpf-next.
>
> [0]: https://lore.kernel.org/bpf/20250505215802.48449-1-kuniyu@amazon.com/
While booting a debug linus's tree with current net-next merged in, I
see a few splat at boot time:
[ 4.556951] refcount_t: underflow; use-after-free.
[ 4.557466] WARNING: CPU: 0 PID: 1 at lib/refcount.c:28
refcount_warn_saturate+0xae/0x150
[ 4.558351] Modules linked in:
[ 4.558692] CPU: 0 UID: 0 PID: 1 Comm: systemd Tainted: G B
6.15.0.net-next-6.16_0b31b995f034+ #3 PREEMPT(voluntary)
[ 4.559887] Tainted: [B]=BAD_PAGE
[ 4.560246] Hardware name: Red Hat KVM/RHEL, BIOS 1.16.3-2.el9 04/01/2014
[ 4.560913] RIP: 0010:refcount_warn_saturate+0xae/0x150
[ 4.561443] Code: c3 22 a3 03 01 e8 62 de df fe 0f 0b eb d1 80 3d b1
22 a3 03 00 75 c8 48 c7 c7 a0 77 73 b4 c6 05 a1 22 a3 03 01 e8 42 de df
fe <0f> 0b eb b1 80 3d 8f 22 a3 03 00 75 a8 48 c7 c7 60 78 73 b4 c6 05
[ 4.563167] RSP: 0018:ffa000000001fac0 EFLAGS: 00010286
[ 4.563708] RAX: 0000000000000000 RBX: ff11000129544680 RCX:
0000000000000000
[ 4.564401] RDX: 0000000000000002 RSI: 0000000000000004 RDI:
0000000000000001
[ 4.565110] RBP: 0000000000000003 R08: 0000000000000001 R09:
ffe21c002b27d8b1
[ 4.565817] R10: ff110001593ec58b R11: 0000000000000000 R12:
ff11000129544600
[ 4.566511] R13: ff11000129542bc0 R14: 0000000000000001 R15:
ff11000129542c40
[ 4.567216] FS: 00007f2c798deb40(0000) GS:ff110001a1bb3000(0000)
knlGS:0000000000000000
[ 4.568005] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4.568579] CR2: 000055c3cefb01d8 CR3: 0000000120b4c003 CR4:
0000000000771ef0
[ 4.569287] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 4.569991] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7:
0000000000000400
[ 4.570688] PKRU: 55555554
[ 4.571005] Call Trace:
[ 4.571285] <TASK>
[ 4.571538] unix_release_sock+0x9ee/0x1040
[ 4.571984] ? rcu_is_watching+0x11/0xb0
[ 4.572398] ? __pfx_unix_release_sock+0x10/0x10
[ 4.572881] ? down_write+0xb4/0x220
[ 4.573268] ? __pfx_down_write+0x10/0x10
[ 4.573687] unix_release+0x88/0xe0
[ 4.574074] __sock_release+0xa3/0x260
[ 4.574474] sock_close+0x14/0x20
[ 4.574842] __fput+0x365/0xa80
[ 4.575197] fput_close_sync+0xd9/0x190
[ 4.575599] ? __pfx_fput_close_sync+0x10/0x10
[ 4.576072] __x64_sys_close+0x79/0xd0
[ 4.576469] do_syscall_64+0x8c/0x3d0
[ 4.576873] ? __pfx___handle_mm_fault+0x10/0x10
[ 4.577354] ? lock_release+0x121/0x190
[ 4.577774] ? rcu_is_watching+0x11/0xb0
[ 4.578188] ? __count_memcg_events+0x45c/0x5c0
[ 4.578654] ? count_memcg_events_mm.constprop.0+0xd4/0x200
[ 4.579275] ? rcu_is_watching+0x11/0xb0
[ 4.579683] ? lock_release+0x121/0x190
[ 4.580100] ? count_memcg_events_mm.constprop.0+0xd9/0x200
[ 4.580658] ? handle_mm_fault+0x3cf/0x670
[ 4.581099] ? exc_page_fault+0x58/0xc0
[ 4.581505] ? rcu_is_watching+0x11/0xb0
[ 4.581925] ? lock_release+0x121/0x190
[ 4.582345] ? do_user_addr_fault+0x489/0xb10
[ 4.582806] ? rcu_is_watching+0x11/0xb0
[ 4.583221] ? trace_irq_enable.constprop.0+0x14a/0x1b0
4.583758] ? clear_bhb_loop+0x60/0xb0
[ 4.584165] ? clear_bhb_loop+0x60/0xb0
[ 4.584574] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 4.585095] RIP: 0033:0x7f2c7a638417
[ 4.585471] Code: ff e8 2d f6 01 00 66 2e 0f 1f 84 00 00 00 00 00 0f
1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f
05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 a3 7e f8 ff
[ 4.587182] RSP: 002b:00007ffc7c624c58 EFLAGS: 00000246 ORIG_RAX:
0000000000000003
[ 4.587921] RAX: ffffffffffffffda RBX: 00007f2c798de9d0 RCX:
00007f2c7a638417
[ 4.588611] RDX: 000055c3cefcfeb0 RSI: 000055c3cef580c0 RDI:
0000000000000026
[ 4.589318] RBP: 0000000000000026 R08: 00000000ffffffff R09:
0000000000000000
[ 4.590019] R10: 0000000000000010 R11: 0000000000000246 R12:
000055c3cef54a10
[ 4.590715] R13: 0000000000000000 R14: 00007ffc7c624db0 R15:
000055c3cef57cc0
[ 4.591408] </TASK>
[ 4.591665] irq event stamp: 25199
[ 4.592044] hardirqs last enabled at (25199): [<ffffffffb1600e06>]
asm_sysvec_apic_timer_interrupt+0x16/0x20
[ 4.592986] hardirqs last disabled at (25198): [<ffffffffb1a1df63>]
handle_softirqs+0x733/0x920
[ 4.593824] softirqs last enabled at (24848): [<ffffffffb1a1de28>]
handle_softirqs+0x5f8/0x920
[ 4.594651] softirqs last disabled at (24843): [<ffffffffb1a1e2fb>]
__irq_exit_rcu+0x11b/0x270
I'm going to blindly test a local revert of this series and/or
a9194f88782afa1386641451a6c76beaa60485a0 and will report back.
/P
Powered by blists - more mailing lists