From: Jakub Sitnicki <jakub@cloudflare.com>
To: Cong Wang <xiyou.wangcong@gmail.com>
Cc: John Fastabend <john.fastabend@gmail.com>,
martin.lau@kernel.org, bpf@vger.kernel.org,
netdev@vger.kernel.org
Subject: Re: [PATCH bpf v2 1/2] bpf: sockmap, af_unix stream sockets need to hold ref for pair sock
Date: Fri, 24 Nov 2023 14:43:24 +0100 [thread overview]
Message-ID: <87zfz32r6j.fsf@cloudflare.com> (raw)
In-Reply-To: <ZV+07PlDoxrcAn9c@pop-os.localdomain>
On Thu, Nov 23, 2023 at 12:24 PM -08, Cong Wang wrote:
> On Wed, Nov 22, 2023 at 11:24:51AM -0800, John Fastabend wrote:
>> AF_UNIX stream sockets are a paired socket. So sending on one of the pairs
>> will lookup the paired socket as part of the send operation. It is possible
>> however to put just one of the pairs in a BPF map. This currently
>> increments the refcnt on the sock in the sockmap to ensure it is not
>> free'd by the stack before sockmap cleans up its state and stops any
>> skbs being sent/recv'd to that socket.
>>
>> But we missed a case. If the peer socket is closed it will be
>> free'd by the stack. However, the paired socket can still be
>> referenced from BPF sockmap side because we hold a reference
>> there. Then if we are sending traffic through BPF sockmap to
>> that socket it will try to dereference the free'd pair in its
>> send logic creating a use after free. And following splat,
>
> Hmm, how could it pass the SOCK_DEAD test in unix_stream_sendmsg()?
>
> 2285 unix_state_lock(other);
> 2286
> 2287 if (sock_flag(other, SOCK_DEAD) ||
> 2288 (other->sk_shutdown & RCV_SHUTDOWN))
> 2289 goto pipe_err_free;
The quoted UAF happens after unix_state_unlock(other):
2285 unix_state_lock(other);
2286
2287 if (sock_flag(other, SOCK_DEAD) ||
2288 (other->sk_shutdown & RCV_SHUTDOWN))
2289 goto pipe_err_free;
2290
2291 maybe_add_creds(skb, sock, other);
2292 scm_stat_add(other, skb);
2293 skb_queue_tail(&other->sk_receive_queue, skb);
2294 unix_state_unlock(other);
2295 other->sk_data_ready(other); <-- UAF
Although, I think I saw it happen at unix_state_lock(other) as well.
We don't hold a ref on other, so we're racing with __sock_release /
unix_release_sock.
next prev parent reply other threads:[~2023-11-24 13:53 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-22 19:24 [PATCH bpf v2 0/2] sockmap fix for KASAN_VMALLOC and af_unix John Fastabend
2023-11-22 19:24 ` [PATCH bpf v2 1/2] bpf: sockmap, af_unix stream sockets need to hold ref for pair sock John Fastabend
2023-11-23 17:55 ` Yonghong Song
2023-11-23 20:24 ` Cong Wang
2023-11-24 13:43 ` Jakub Sitnicki [this message]
2023-11-22 19:24 ` [PATCH bpf v2 2/2] bpf: sockmap, add af_unix test with both sockets in map John Fastabend
2023-11-24 13:53 ` [PATCH bpf v2 0/2] sockmap fix for KASAN_VMALLOC and af_unix Jakub Sitnicki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zfz32r6j.fsf@cloudflare.com \
--to=jakub@cloudflare.com \
--cc=bpf@vger.kernel.org \
--cc=john.fastabend@gmail.com \
--cc=martin.lau@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.