lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <dc01a67a-9946-456b-bfe8-fb20df0dc464@redhat.com>
Date: Tue, 15 Jul 2025 11:50:10 +0200
From: Paolo Abeni <pabeni@...hat.com>
To: Matt Johnston <matt@...econstruct.com.au>,
 Jeremy Kerr <jk@...econstruct.com.au>, "David S. Miller"
 <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
 Jakub Kicinski <kuba@...nel.org>, Simon Horman <horms@...nel.org>
Cc: netdev@...r.kernel.org
Subject: Re: [PATCH net-next v4 2/8] net: mctp: Prevent duplicate binds

On 7/10/25 10:55 AM, Matt Johnston wrote:
> @@ -611,15 +610,36 @@ static void mctp_sk_close(struct sock *sk, long timeout)
>  static int mctp_sk_hash(struct sock *sk)
>  {
>  	struct net *net = sock_net(sk);
> +	struct sock *existing;
> +	struct mctp_sock *msk;
> +	int rc;
> +
> +	msk = container_of(sk, struct mctp_sock, sk);
>  
>  	/* Bind lookup runs under RCU, remain live during that. */
>  	sock_set_flag(sk, SOCK_RCU_FREE);
>  
>  	mutex_lock(&net->mctp.bind_lock);
> -	sk_add_node_rcu(sk, &net->mctp.binds);
> -	mutex_unlock(&net->mctp.bind_lock);
>  
> -	return 0;
> +	/* Prevent duplicate binds. */
> +	sk_for_each(existing, &net->mctp.binds) {
> +		struct mctp_sock *mex =
> +			container_of(existing, struct mctp_sock, sk);
> +
> +		if (mex->bind_type == msk->bind_type &&
> +		    mex->bind_addr == msk->bind_addr &&
> +		    mex->bind_net == msk->bind_net) {
> +			rc = -EADDRINUSE;
> +			goto out;
> +		}

It looks like the list size is bounded only implicitly by ulimit -n.
Fuzzers or bad setup could hung the kernel with extreme long list traversal.

Not blocking this patch, but I suggest to either use an hash/tree to
store the binding, or check for "rescheduling needed" in the loop.

/P

> +	}
> +
> +	sk_add_node_rcu(sk, &net->mctp.binds);
> +	rc = 0;
> +
> +out:
> +	mutex_unlock(&net->mctp.bind_lock);
> +	return rc;
>  }
>  
>  static void mctp_sk_unhash(struct sock *sk)
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ