Re: [PATCH] nbd: pass nbd_sock to nbd_read_reply() instead of index

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ming Lei <ming.lei@redhat.com>
To: Yu Kuai <yukuai1@huaweicloud.com>
Cc: linan666@huaweicloud.com, josef@toxicpanda.com, axboe@kernel.dk,
	linux-block@vger.kernel.org, nbd@other.debian.org,
	linux-kernel@vger.kernel.org, linan122@huawei.com,
	yi.zhang@huawei.com, houtao1@huawei.com, yangerkun@huawei.com,
	"yukuai (C)" <yukuai3@huawei.com>
Subject: Re: [PATCH] nbd: pass nbd_sock to nbd_read_reply() instead of index
Date: Thu, 28 Sep 2023 16:57:16 +0800	[thread overview]
Message-ID: <ZRU/7Bx1ZJSX3Qg3@fedora> (raw)
In-Reply-To: <41161d21-299c-3657-6020-0a3a9cf109ec@huaweicloud.com>

On Thu, Sep 28, 2023 at 04:55:03PM +0800, Yu Kuai wrote:
> Hi,
> 
> 在 2023/09/28 15:40, Ming Lei 写道:
> > On Thu, Sep 28, 2023 at 02:03:28PM +0800, Yu Kuai wrote:
> > > Hi,
> > > 
> > > 在 2023/09/28 12:05, Ming Lei 写道:
> > > > On Mon, Sep 11, 2023 at 10:33:08AM +0800, linan666@huaweicloud.com wrote:
> > > > > From: Li Nan <linan122@huawei.com>
> > > > > 
> > > > > If a socket is processing ioctl 'NBD_SET_SOCK', config->socks might be
> > > > > krealloc in nbd_add_socket(), and a garbage request is received now, a UAF
> > > > > may occurs.
> > > > > 
> > > > >     T1
> > > > >     nbd_ioctl
> > > > >      __nbd_ioctl
> > > > >       nbd_add_socket
> > > > >        blk_mq_freeze_queue
> > > > > 				T2
> > > > >     				recv_work
> > > > >     				 nbd_read_reply
> > > > >     				  sock_xmit
> > > > >        krealloc config->socks
> > > > > 				   def config->socks
> > > > > 
> > > > > Pass nbd_sock to nbd_read_reply(). And introduce a new function
> > > > > sock_xmit_recv(), which differs from sock_xmit only in the way it get
> > > > > socket.
> > > > > 
> > > > 
> > > > I am wondering why not grab queue usage counter before calling nbd_read_reply()
> > > > for avoiding such issue, something like the following change:
> > > > 
> > > > diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
> > > > index df1cd0f718b8..09215b605b12 100644
> > > > --- a/drivers/block/nbd.c
> > > > +++ b/drivers/block/nbd.c
> > > > @@ -837,9 +837,6 @@ static void recv_work(struct work_struct *work)
> > > >    	while (1) {
> > > >    		struct nbd_reply reply;
> > > > -		if (nbd_read_reply(nbd, args->index, &reply))
> > > > -			break;
> > > > -
> > > >    		/*
> > > >    		 * Grab .q_usage_counter so request pool won't go away, then no
> > > >    		 * request use-after-free is possible during nbd_handle_reply().
> > > > @@ -852,6 +849,9 @@ static void recv_work(struct work_struct *work)
> > > >    			break;
> > > >    		}
> > > 
> > > This break how nbd works, if there is no reply yet, recv_work() will
> > > wait for reply in:
> > > 
> > > nbd_read_reply
> > >   sock_xmit
> > >    sock_recvmsg
> > > 
> > > After this change, recv_work() will just return if there is no io.
> > 
> > OK, got it, thanks for the input.
> > 
> > But I feel it isn't necessary & fragile to store one extra reference of nsock in
> > `recv_thread_args`.
> > 
> > Just run a quick look, the only potential UAF on config->socks should be recv_work(),
> > so you can retrieve the `nsock` reference at the entry of recv_work(),
> 
> I don't understand what you mean retrieve the 'nsock', is following what
> you expected?
> 
> blk_queue_enter() -> prevent concurrent with nbd_add_socket
> nsock = config->socks[args->index]
> blk_queue_exit()

Yeah, turns out you do understand, :-)

Thanks,
Ming

next prev parent reply	other threads:[~2023-09-28  8:58 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-11  2:33 [PATCH] nbd: pass nbd_sock to nbd_read_reply() instead of index linan666
2023-09-28  3:40 ` Li Nan
2023-09-28  4:05 ` Ming Lei
2023-09-28  6:03   ` Yu Kuai
2023-09-28  7:40     ` Ming Lei
2023-09-28  8:55       ` Yu Kuai
2023-09-28  8:57         ` Ming Lei [this message]
2023-09-28  9:06           ` Yu Kuai
2023-09-28  9:24             ` Ming Lei
2023-09-28  9:40               ` Yu Kuai
2023-10-30  2:07                 ` Yu Kuai
2023-10-30 12:42                   ` Ming Lei
2023-10-30 13:16                     ` Yu Kuai
2023-11-21  6:16                       ` Li Nan
2023-11-21 14:42 ` Jens Axboe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZRU/7Bx1ZJSX3Qg3@fedora \
    --to=ming.lei@redhat.com \
    --cc=axboe@kernel.dk \
    --cc=houtao1@huawei.com \
    --cc=josef@toxicpanda.com \
    --cc=linan122@huawei.com \
    --cc=linan666@huaweicloud.com \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nbd@other.debian.org \
    --cc=yangerkun@huawei.com \
    --cc=yi.zhang@huawei.com \
    --cc=yukuai1@huaweicloud.com \
    --cc=yukuai3@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.