lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f99f4631-f58b-425d-b671-717b63bb45f3@redhat.com>
Date: Wed, 28 May 2025 13:40:28 +0200
From: Paolo Abeni <pabeni@...hat.com>
To: Kuniyuki Iwashima <kuniyu@...zon.com>,
 "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
 Jakub Kicinski <kuba@...nel.org>, Willem de Bruijn <willemb@...gle.com>
Cc: Simon Horman <horms@...nel.org>, Christian Brauner <brauner@...nel.org>,
 Kuniyuki Iwashima <kuni1840@...il.com>, netdev@...r.kernel.org
Subject: Re: [PATCH v5 net-next 0/9] af_unix: Introduce SO_PASSRIGHTS.

On 5/19/25 10:57 PM, Kuniyuki Iwashima wrote:
> As long as recvmsg() or recvmmsg() is used with cmsg, it is not
> possible to avoid receiving file descriptors via SCM_RIGHTS.
> 
> This series introduces a new socket option, SO_PASSRIGHTS, to allow
> disabling SCM_RIGHTS.  The option is enabled by default.
> 
> See patch 8 for background/context.
> 
> This series is related to [0], but is split into a separate series,
> as most of the patches are specific to af_unix.
> 
> The v2 of the BPF LSM extension part will be posted later, once
> this series is merged into net-next and has landed in bpf-next.
> 
> [0]: https://lore.kernel.org/bpf/20250505215802.48449-1-kuniyu@amazon.com/

While booting a debug linus's tree with current net-next merged in, I
see a few splat at boot time:

[    4.556951] refcount_t: underflow; use-after-free.
[    4.557466] WARNING: CPU: 0 PID: 1 at lib/refcount.c:28
refcount_warn_saturate+0xae/0x150
[    4.558351] Modules linked in:
[    4.558692] CPU: 0 UID: 0 PID: 1 Comm: systemd Tainted: G    B
       6.15.0.net-next-6.16_0b31b995f034+ #3 PREEMPT(voluntary)
[    4.559887] Tainted: [B]=BAD_PAGE
[    4.560246] Hardware name: Red Hat KVM/RHEL, BIOS 1.16.3-2.el9 04/01/2014
[    4.560913] RIP: 0010:refcount_warn_saturate+0xae/0x150
[    4.561443] Code: c3 22 a3 03 01 e8 62 de df fe 0f 0b eb d1 80 3d b1
22 a3 03 00 75 c8 48 c7 c7 a0 77 73 b4 c6 05 a1 22 a3 03 01 e8 42 de df
fe <0f> 0b eb b1 80 3d 8f 22 a3 03 00 75 a8 48 c7 c7 60 78 73 b4 c6 05
[    4.563167] RSP: 0018:ffa000000001fac0 EFLAGS: 00010286
[    4.563708] RAX: 0000000000000000 RBX: ff11000129544680 RCX:
0000000000000000
[    4.564401] RDX: 0000000000000002 RSI: 0000000000000004 RDI:
0000000000000001
[    4.565110] RBP: 0000000000000003 R08: 0000000000000001 R09:
ffe21c002b27d8b1
[    4.565817] R10: ff110001593ec58b R11: 0000000000000000 R12:
ff11000129544600
[    4.566511] R13: ff11000129542bc0 R14: 0000000000000001 R15:
ff11000129542c40
[    4.567216] FS:  00007f2c798deb40(0000) GS:ff110001a1bb3000(0000)
knlGS:0000000000000000
[    4.568005] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    4.568579] CR2: 000055c3cefb01d8 CR3: 0000000120b4c003 CR4:
0000000000771ef0
[    4.569287] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[    4.569991] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7:
0000000000000400
[    4.570688] PKRU: 55555554
[    4.571005] Call Trace:
[    4.571285]  <TASK>
[    4.571538]  unix_release_sock+0x9ee/0x1040
[    4.571984]  ? rcu_is_watching+0x11/0xb0
[    4.572398]  ? __pfx_unix_release_sock+0x10/0x10
[    4.572881]  ? down_write+0xb4/0x220
[    4.573268]  ? __pfx_down_write+0x10/0x10
[    4.573687]  unix_release+0x88/0xe0
[    4.574074]  __sock_release+0xa3/0x260
[    4.574474]  sock_close+0x14/0x20
[    4.574842]  __fput+0x365/0xa80
[    4.575197]  fput_close_sync+0xd9/0x190
[    4.575599]  ? __pfx_fput_close_sync+0x10/0x10
[    4.576072]  __x64_sys_close+0x79/0xd0
[    4.576469]  do_syscall_64+0x8c/0x3d0
[    4.576873]  ? __pfx___handle_mm_fault+0x10/0x10
[    4.577354]  ? lock_release+0x121/0x190
[    4.577774]  ? rcu_is_watching+0x11/0xb0
[    4.578188]  ? __count_memcg_events+0x45c/0x5c0
[    4.578654]  ? count_memcg_events_mm.constprop.0+0xd4/0x200
[    4.579275]  ? rcu_is_watching+0x11/0xb0
[    4.579683]  ? lock_release+0x121/0x190
[    4.580100]  ? count_memcg_events_mm.constprop.0+0xd9/0x200
[    4.580658]  ? handle_mm_fault+0x3cf/0x670
[    4.581099]  ? exc_page_fault+0x58/0xc0
[    4.581505]  ? rcu_is_watching+0x11/0xb0
[    4.581925]  ? lock_release+0x121/0x190
[    4.582345]  ? do_user_addr_fault+0x489/0xb10
[    4.582806]  ? rcu_is_watching+0x11/0xb0
[    4.583221]  ? trace_irq_enable.constprop.0+0x14a/0x1b0
    4.583758]  ? clear_bhb_loop+0x60/0xb0
[    4.584165]  ? clear_bhb_loop+0x60/0xb0
[    4.584574]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[    4.585095] RIP: 0033:0x7f2c7a638417
[    4.585471] Code: ff e8 2d f6 01 00 66 2e 0f 1f 84 00 00 00 00 00 0f
1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f
05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 a3 7e f8 ff
[    4.587182] RSP: 002b:00007ffc7c624c58 EFLAGS: 00000246 ORIG_RAX:
0000000000000003
[    4.587921] RAX: ffffffffffffffda RBX: 00007f2c798de9d0 RCX:
00007f2c7a638417
[    4.588611] RDX: 000055c3cefcfeb0 RSI: 000055c3cef580c0 RDI:
0000000000000026
[    4.589318] RBP: 0000000000000026 R08: 00000000ffffffff R09:
0000000000000000
[    4.590019] R10: 0000000000000010 R11: 0000000000000246 R12:
000055c3cef54a10
[    4.590715] R13: 0000000000000000 R14: 00007ffc7c624db0 R15:
000055c3cef57cc0
[    4.591408]  </TASK>
[    4.591665] irq event stamp: 25199
[    4.592044] hardirqs last  enabled at (25199): [<ffffffffb1600e06>]
asm_sysvec_apic_timer_interrupt+0x16/0x20
[    4.592986] hardirqs last disabled at (25198): [<ffffffffb1a1df63>]
handle_softirqs+0x733/0x920
[    4.593824] softirqs last  enabled at (24848): [<ffffffffb1a1de28>]
handle_softirqs+0x5f8/0x920
[    4.594651] softirqs last disabled at (24843): [<ffffffffb1a1e2fb>]
__irq_exit_rcu+0x11b/0x270

I'm going to blindly test a local revert of this series and/or
a9194f88782afa1386641451a6c76beaa60485a0 and will report back.

/P


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ