lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAJwJo6ad+Tc5WHqpCJ78PxJTW0m0P683N_-oDBoG4iBiSSf0qw@mail.gmail.com>
Date: Sun, 31 Aug 2025 00:55:11 +0100
From: Dmitry Safonov <0x7f454c46@...il.com>
To: cpaasch@...nai.com
Cc: Eric Dumazet <edumazet@...gle.com>, Neal Cardwell <ncardwell@...gle.com>, 
	Kuniyuki Iwashima <kuniyu@...gle.com>, "David S. Miller" <davem@...emloft.net>, 
	David Ahern <dsahern@...nel.org>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, 
	Simon Horman <horms@...nel.org>, Salam Noureddine <noureddine@...sta.com>, netdev@...r.kernel.org
Subject: Re: [PATCH net] net/tcp: Fix socket memory leak in TCP-AO failure
 handling for IPv6

On Sat, 30 Aug 2025 at 23:55, Christoph Paasch via B4 Relay
<devnull+cpaasch.openai.com@...nel.org> wrote:
>
> From: Christoph Paasch <cpaasch@...nai.com>
>
> When tcp_ao_copy_all_matching() fails in tcp_v6_syn_recv_sock() it just
> exits the function. This ends up causing a memory-leak:
>
> unreferenced object 0xffff0000281a8200 (size 2496):
>   comm "softirq", pid 0, jiffies 4295174684
>   hex dump (first 32 bytes):
>     7f 00 00 06 7f 00 00 06 00 00 00 00 cb a8 88 13  ................
>     0a 00 03 61 00 00 00 00 00 00 00 00 00 00 00 00  ...a............
>   backtrace (crc 5ebdbe15):
>     kmemleak_alloc+0x44/0xe0
>     kmem_cache_alloc_noprof+0x248/0x470
>     sk_prot_alloc+0x48/0x120
>     sk_clone_lock+0x38/0x3b0
>     inet_csk_clone_lock+0x34/0x150
>     tcp_create_openreq_child+0x3c/0x4a8
>     tcp_v6_syn_recv_sock+0x1c0/0x620
>     tcp_check_req+0x588/0x790
>     tcp_v6_rcv+0x5d0/0xc18
>     ip6_protocol_deliver_rcu+0x2d8/0x4c0
>     ip6_input_finish+0x74/0x148
>     ip6_input+0x50/0x118
>     ip6_sublist_rcv+0x2fc/0x3b0
>     ipv6_list_rcv+0x114/0x170
>     __netif_receive_skb_list_core+0x16c/0x200
>     netif_receive_skb_list_internal+0x1f0/0x2d0
>
> This is because in tcp_v6_syn_recv_sock (and the IPv4 counterpart), when
> exiting upon error, inet_csk_prepare_forced_close() and tcp_done() need
> to be called. They make sure the newsk will end up being correctly
> free'd.
>
> tcp_v4_syn_recv_sock() makes this very clear by having the put_and_exit
> label that takes care of things. So, this patch here makes sure
> tcp_v4_syn_recv_sock and tcp_v6_syn_recv_sock have similar
> error-handling and thus fixes the leak for TCP-AO.
>
> Fixes: 06b22ef29591 ("net/tcp: Wire TCP-AO to request sockets")
> Signed-off-by: Christoph Paasch <cpaasch@...nai.com>

Thanks, Christoph!

Reviewed-by: Dmitry Safonov <0x7f454c46@...il.com>

Quite a blunder to miss error path like that, ugh.

Thanks,
             Dmitry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ