lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <674de0c8-5d90-4850-a7c8-b3129a2f79ec@gmail.com>
Date: Thu, 12 Jun 2025 14:11:50 +0200
From: Jacek Łuczak <difrost.kernel@...il.com>
To: Kuniyuki Iwashima <kuni1840@...il.com>,
 "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
 Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>
Cc: Simon Horman <horms@...nel.org>, Kuniyuki Iwashima <kuniyu@...gle.com>,
 Christian Heusel <christian@...sel.eu>,
 André Almeida <andrealmeid@...lia.com>,
 netdev@...r.kernel.org
Subject: Re: [PATCH v1 net] af_unix: Allow passing cred for embryo without
 SO_PASSCRED/SO_PASSPIDFD.

On 6/11/25 10:27 PM, Kuniyuki Iwashima wrote:
> From: Kuniyuki Iwashima <kuniyu@...gle.com>
> 
> Before the cited commit, the kernel unconditionally embedded SCM
> credentials to skb for embryo sockets even when both the sender
> and listener disabled SO_PASSCRED and SO_PASSPIDFD.
> 
> Now, the credentials are added to skb only when configured by the
> sender or the listener.
> 
> However, as reported in the link below, it caused a regression for
> some programs that assume credentials are included in every skb,
> but sometimes not now.
> 
> The only problematic scenario would be that a socket starts listening
> before setting the option.  Then, there will be 2 types of non-small
> race window, where a client can send skb without credentials, which
> the peer receives as an "invalid" message (and aborts the connection
> it seems ?):
> 
>    Client                    Server
>    ------                    ------
>                              s1.listen()  <-- No SO_PASS{CRED,PIDFD}
>    s2.connect()
>    s2.send()  <-- w/o cred
>                              s1.setsockopt(SO_PASS{CRED,PIDFD})
>    s2.send()  <-- w/  cred
> 
> or
> 
>    Client                    Server
>    ------                    ------
>                              s1.listen()  <-- No SO_PASS{CRED,PIDFD}
>    s2.connect()
>    s2.send()  <-- w/o cred
>                              s3, _ = s1.accept()  <-- Inherit cred options
>    s2.send()  <-- w/o cred                            but not set yet
> 
>                              s3.setsockopt(SO_PASS{CRED,PIDFD})
>    s2.send()  <-- w/  cred
> 
> It's unfortunate that buggy programs depend on the behaviour,
> but let's restore the previous behaviour.
> 
> Fixes: 3f84d577b79d ("af_unix: Inherit sk_flags at connect().")
> Reported-by: Jacek Łuczak <difrost.kernel@...il.com>
> Closes: https://lore.kernel.org/all/68d38b0b-1666-4974-85d4-15575789c8d4@gmail.com/
> Signed-off-by: Kuniyuki Iwashima <kuniyu@...gle.com>
> ---
>   net/unix/af_unix.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
> index fd6b5e17f6c4..87439d7f965d 100644
> --- a/net/unix/af_unix.c
> +++ b/net/unix/af_unix.c
> @@ -1971,7 +1971,8 @@ static void unix_maybe_add_creds(struct sk_buff *skb, const struct sock *sk,
>   	if (UNIXCB(skb).pid)
>   		return;
>   
> -	if (unix_may_passcred(sk) || unix_may_passcred(other)) {
> +	if (unix_may_passcred(sk) || unix_may_passcred(other) ||
> +	    !other->sk_socket) {
>   		UNIXCB(skb).pid = get_pid(task_tgid(current));
>   		current_uid_gid(&UNIXCB(skb).uid, &UNIXCB(skb).gid);
>   	}

Tested-by: Jacek Łuczak <difrost.kernel@...il.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ