| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <lv6nvdc4lrwhipk6ehtivbnsn7ggb7bujky3z6ybhxorlmisgn@qyuo3egnbdu3>
Date: Wed, 25 Jun 2025 10:46:41 +0200
From: Stefano Garzarella <sgarzare@...hat.com>
To: Michal Luczaj <mhal@...x.co>
Cc: "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>,
Stefan Hajnoczi <stefanha@...hat.com>, virtualization@...ts.linux.dev, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH RFC net v2 2/3] vsock: Fix transport_* TOCTOU
On Fri, Jun 20, 2025 at 09:52:44PM +0200, Michal Luczaj wrote:
>Transport assignment may race with module unload. Protect new_transport
>from becoming a stale pointer.
>
>This also takes care of an insecure call in vsock_use_local_transport();
>add a lockdep assert.
>
>BUG: unable to handle page fault for address: fffffbfff8056000
>Oops: Oops: 0000 [#1] SMP KASAN
>RIP: 0010:vsock_assign_transport+0x366/0x600
>Call Trace:
> vsock_connect+0x59c/0xc40
> __sys_connect+0xe8/0x100
> __x64_sys_connect+0x6e/0xc0
> do_syscall_64+0x92/0x1c0
> entry_SYSCALL_64_after_hwframe+0x4b/0x53
>
>Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
>Signed-off-by: Michal Luczaj <mhal@...x.co>
>---
> net/vmw_vsock/af_vsock.c | 28 +++++++++++++++++++++++-----
> 1 file changed, 23 insertions(+), 5 deletions(-)
LGTM!
Reviewed-by: Stefano Garzarella <sgarzare@...hat.com>
>
>diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
>index 63a920af5bfe6960306a3e5eeae0cbf30648985e..a1b1073a2c89f865fcdb58b38d8e7feffcf1544f 100644
>--- a/net/vmw_vsock/af_vsock.c
>+++ b/net/vmw_vsock/af_vsock.c
>@@ -407,6 +407,8 @@ EXPORT_SYMBOL_GPL(vsock_enqueue_accept);
>
> static bool vsock_use_local_transport(unsigned int remote_cid)
> {
>+ lockdep_assert_held(&vsock_register_mutex);
>+
> if (!transport_local)
> return false;
>
>@@ -464,6 +466,8 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
>
> remote_flags = vsk->remote_addr.svm_flags;
>
>+ mutex_lock(&vsock_register_mutex);
>+
> switch (sk->sk_type) {
> case SOCK_DGRAM:
> new_transport = transport_dgram;
>@@ -479,12 +483,15 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
> new_transport = transport_h2g;
> break;
> default:
>- return -ESOCKTNOSUPPORT;
>+ ret = -ESOCKTNOSUPPORT;
>+ goto err;
> }
>
> if (vsk->transport) {
>- if (vsk->transport == new_transport)
>- return 0;
>+ if (vsk->transport == new_transport) {
>+ ret = 0;
>+ goto err;
>+ }
>
> /* transport->release() must be called with sock lock acquired.
> * This path can only be taken during vsock_connect(), where we
>@@ -508,8 +515,16 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
> /* We increase the module refcnt to prevent the transport unloading
> * while there are open sockets assigned to it.
> */
>- if (!new_transport || !try_module_get(new_transport->module))
>- return -ENODEV;
>+ if (!new_transport || !try_module_get(new_transport->module)) {
>+ ret = -ENODEV;
>+ goto err;
>+ }
>+
>+ /* It's safe to release the mutex after a successful try_module_get().
>+ * Whichever transport `new_transport` points at, it won't go await
>+ * until the last module_put() below or in vsock_deassign_transport().
>+ */
>+ mutex_unlock(&vsock_register_mutex);
>
> if (sk->sk_type == SOCK_SEQPACKET) {
> if (!new_transport->seqpacket_allow ||
>@@ -528,6 +543,9 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
> vsk->transport = new_transport;
>
> return 0;
>+err:
>+ mutex_unlock(&vsock_register_mutex);
>+ return ret;
> }
> EXPORT_SYMBOL_GPL(vsock_assign_transport);
>
>
>--
>2.49.0
>
Powered by blists - more mailing lists