lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aFAlmTEPUqBdTJJ6@hovoldconsulting.com>
Date: Mon, 16 Jun 2025 16:09:29 +0200
From: Johan Hovold <johan@...nel.org>
To: Kuniyuki Iwashima <kuni1840@...il.com>
Cc: "David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	Simon Horman <horms@...nel.org>,
	Kuniyuki Iwashima <kuniyu@...gle.com>,
	Christian Heusel <christian@...sel.eu>,
	André Almeida <andrealmeid@...lia.com>,
	netdev@...r.kernel.org,
	Jacek Łuczak <difrost.kernel@...il.com>
Subject: Re: [PATCH v1 net] af_unix: Allow passing cred for embryo without
 SO_PASSCRED/SO_PASSPIDFD.

On Wed, Jun 11, 2025 at 01:27:35PM -0700, Kuniyuki Iwashima wrote:
> From: Kuniyuki Iwashima <kuniyu@...gle.com>
> 
> Before the cited commit, the kernel unconditionally embedded SCM
> credentials to skb for embryo sockets even when both the sender
> and listener disabled SO_PASSCRED and SO_PASSPIDFD.
> 
> Now, the credentials are added to skb only when configured by the
> sender or the listener.
> 
> However, as reported in the link below, it caused a regression for
> some programs that assume credentials are included in every skb,
> but sometimes not now.
> 
> The only problematic scenario would be that a socket starts listening
> before setting the option.  Then, there will be 2 types of non-small
> race window, where a client can send skb without credentials, which
> the peer receives as an "invalid" message (and aborts the connection
> it seems ?):
> 
>   Client                    Server
>   ------                    ------
>                             s1.listen()  <-- No SO_PASS{CRED,PIDFD}
>   s2.connect()
>   s2.send()  <-- w/o cred
>                             s1.setsockopt(SO_PASS{CRED,PIDFD})
>   s2.send()  <-- w/  cred
> 
> or
> 
>   Client                    Server
>   ------                    ------
>                             s1.listen()  <-- No SO_PASS{CRED,PIDFD}
>   s2.connect()
>   s2.send()  <-- w/o cred
>                             s3, _ = s1.accept()  <-- Inherit cred options
>   s2.send()  <-- w/o cred                            but not set yet
> 
>                             s3.setsockopt(SO_PASS{CRED,PIDFD})
>   s2.send()  <-- w/  cred
> 
> It's unfortunate that buggy programs depend on the behaviour,
> but let's restore the previous behaviour.

For the record, this one fixes the wlroots and Xorg crashes on USB-C
DisplayPort Altmode hotplug that I hit consistently with 6.16-rc1 on
machines like the Lenovo ThinkPad X13s and T14s.

> Fixes: 3f84d577b79d ("af_unix: Inherit sk_flags at connect().")
> Reported-by: Jacek Łuczak <difrost.kernel@...il.com>
> Closes: https://lore.kernel.org/all/68d38b0b-1666-4974-85d4-15575789c8d4@gmail.com/
> Signed-off-by: Kuniyuki Iwashima <kuniyu@...gle.com>

Johan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ