| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a7a96192-9c45-496e-9bd5-130c6e4f7365@heusel.eu>
Date: Wed, 11 Jun 2025 23:03:52 +0200
From: Christian Heusel <christian@...sel.eu>
To: Kuniyuki Iwashima <kuni1840@...il.com>
Cc: "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>,
Kuniyuki Iwashima <kuniyu@...gle.com>, André Almeida <andrealmeid@...lia.com>,
netdev@...r.kernel.org, Jacek Łuczak <difrost.kernel@...il.com>
Subject: Re: [PATCH v1 net] af_unix: Allow passing cred for embryo without
SO_PASSCRED/SO_PASSPIDFD.
On 25/06/11 01:27PM, Kuniyuki Iwashima wrote:
> From: Kuniyuki Iwashima <kuniyu@...gle.com>
>
> Before the cited commit, the kernel unconditionally embedded SCM
> credentials to skb for embryo sockets even when both the sender
> and listener disabled SO_PASSCRED and SO_PASSPIDFD.
>
> Now, the credentials are added to skb only when configured by the
> sender or the listener.
>
> However, as reported in the link below, it caused a regression for
> some programs that assume credentials are included in every skb,
> but sometimes not now.
>
> The only problematic scenario would be that a socket starts listening
> before setting the option. Then, there will be 2 types of non-small
> race window, where a client can send skb without credentials, which
> the peer receives as an "invalid" message (and aborts the connection
> it seems ?):
>
> Client Server
> ------ ------
> s1.listen() <-- No SO_PASS{CRED,PIDFD}
> s2.connect()
> s2.send() <-- w/o cred
> s1.setsockopt(SO_PASS{CRED,PIDFD})
> s2.send() <-- w/ cred
>
> or
>
> Client Server
> ------ ------
> s1.listen() <-- No SO_PASS{CRED,PIDFD}
> s2.connect()
> s2.send() <-- w/o cred
> s3, _ = s1.accept() <-- Inherit cred options
> s2.send() <-- w/o cred but not set yet
>
> s3.setsockopt(SO_PASS{CRED,PIDFD})
> s2.send() <-- w/ cred
>
> It's unfortunate that buggy programs depend on the behaviour,
> but let's restore the previous behaviour.
>
> Fixes: 3f84d577b79d ("af_unix: Inherit sk_flags at connect().")
> Reported-by: Jacek Łuczak <difrost.kernel@...il.com>
> Closes: https://lore.kernel.org/all/68d38b0b-1666-4974-85d4-15575789c8d4@gmail.com/
> Signed-off-by: Kuniyuki Iwashima <kuniyu@...gle.com>
> ---
> net/unix/af_unix.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
> index fd6b5e17f6c4..87439d7f965d 100644
> --- a/net/unix/af_unix.c
> +++ b/net/unix/af_unix.c
> @@ -1971,7 +1971,8 @@ static void unix_maybe_add_creds(struct sk_buff *skb, const struct sock *sk,
> if (UNIXCB(skb).pid)
> return;
>
> - if (unix_may_passcred(sk) || unix_may_passcred(other)) {
> + if (unix_may_passcred(sk) || unix_may_passcred(other) ||
> + !other->sk_socket) {
> UNIXCB(skb).pid = get_pid(task_tgid(current));
> current_uid_gid(&UNIXCB(skb).uid, &UNIXCB(skb).gid);
> }
> --
> 2.49.0
Tested-by: Christian Heusel <christian@...sel.eu>
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists