From: Hagar Hemdan <hagarhem@amazon.com>
To: Simon Horman <horms@kernel.org>
Cc: Norbert Manthey <nmanthey@amazon.de>,
Steffen Klassert <steffen.klassert@secunet.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
"Paolo Abeni" <pabeni@redhat.com>,
Sabrina Dubroca <sd@queasysnail.net>, <netdev@vger.kernel.org>,
<hagarhem@amazon.de>
Subject: Re: [PATCH] net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP
Date: Fri, 17 May 2024 13:17:57 +0000 [thread overview]
Message-ID: <20240517131757.GA12613@amazon.com> (raw)
In-Reply-To: <20240517122238.GE443576@kernel.org>
On Fri, May 17, 2024 at 01:22:38PM +0100, Simon Horman wrote:
> On Thu, May 16, 2024 at 08:03:09AM +0000, Hagar Hemdan wrote:
> > xmit() functions should consume skb or return error codes in error
> > paths.
> > When the configuration "CONFIG_INET_ESPINTCP" is not used, the
> > implementation of the function "esp_output_tail_tcp" violates this rule.
> > The function frees the skb and returns the error code.
> > This change removes the kfree_skb from both functions, for both
> > esp4 and esp6.
> >
> > This should not be reachable in the current code, so this change is just
> > a cleanup.
> >
> > This bug was discovered and resolved using Coverity Static Analysis
> > Security Testing (SAST) by Synopsys, Inc.
> >
> > Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)")
> > Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
>
> Hi Hagar,
>
> If esp_output() may be the x->type->output callback called from esp_output()
> then I agree that this seems to be a problem as it looks like a double free
> may occur.
>
> However, I believe that your proposed fix introduces will result in skb
> being leaked leak in the case of esp_output_done() calling
> esp_output_tail_tcp(). Perhaps a solution is for esp_output_done()
> to free the skb if esp_output_tail_tcp() fails.
>
> I did not analyse other call-chains, but I think such analysis is needed.
>
> ...
Hi Simon,
I see all calls to esp_output_tail_tcp() is surrounded by the condition
"x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP" which I see
it is related to enabling of CONFIG_INET_ESPINTCP configuration
(introduced in this commit e27cca96cd68 ("xfrm: add espintcp (RFC 8229)").
For calling of x->type->output (resolved to esp_output()) in
xfrm_output_one(), I see there is no double free here as esp_output()
calls esp_output_tail() which calls esp_output_tail_tcp() only if
x->encap->encap_type == TCP_ENCAP_ESPINTCP which points to the first
implementation of esp_output_tail_tcp(). This first definition
doesn't free skb.
So my understanding is the 2nd esp_output_tail_tcp() should not be
called and this is why I called WARN_ON() as this func is unreachable.
Removing free(skb) here is just for silencing double free Coverity
false positive.
Is there something else I miss?
next prev parent reply other threads:[~2024-05-17 13:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-16 8:03 [PATCH] net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP Hagar Hemdan
2024-05-17 12:22 ` Simon Horman
2024-05-17 13:17 ` Hagar Hemdan [this message]
2024-05-17 15:57 ` Simon Horman
2024-05-18 12:55 ` Hagar Hemdan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240517131757.GA12613@amazon.com \
--to=hagarhem@amazon.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=hagarhem@amazon.de \
--cc=herbert@gondor.apana.org.au \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nmanthey@amazon.de \
--cc=pabeni@redhat.com \
--cc=sd@queasysnail.net \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.