All of lore.kernel.org
 help / color / mirror / Atom feed
From: Steffen Klassert <steffen.klassert@secunet.com>
To: "Xiang Mei (Microsoft)" <xmei5@asu.edu>
Cc: <herbert@gondor.apana.org.au>, <davem@davemloft.net>,
	<netdev@vger.kernel.org>, <edumazet@google.com>,
	<kuba@kernel.org>, <pabeni@redhat.com>,
	<linux-kernel@vger.kernel.org>,
	<AutonomousCodeSecurity@microsoft.com>,
	<tgopinath@linux.microsoft.com>, <kys@microsoft.com>
Subject: Re: [PATCH ipsec] xfrm: fix sk_dst_cache double-free in xfrm_user_policy()
Date: Mon, 6 Jul 2026 08:14:20 +0200	[thread overview]
Message-ID: <aktHvEy7JC-eGClA@secunet.com> (raw)
In-Reply-To: <20260627024023.2201160-1-xmei5@asu.edi>

On Sat, Jun 27, 2026 at 02:40:23AM +0000, Xiang Mei (Microsoft) wrote:
> From: "Xiang Mei (Microsoft)" <xmei5@asu.edu>
> 
> xfrm_user_policy() clears the socket dst cache with __sk_dst_reset(),
> i.e. the non-atomic __sk_dst_set(sk, NULL): it reads sk_dst_cache with
> rcu_dereference_protected(), stores NULL and dst_release()s the old dst.
> That is only safe if no other thread modifies sk_dst_cache concurrently.
> 
> For a connected UDP socket that does not hold: the transmit fast path
> (udp_sendmsg -> sk_dst_check -> sk_dst_reset) resets the cache locklessly
> with an atomic xchg(). A per-socket policy change racing a send can make
> both sides observe the same old dst and each dst_release() it, dropping
> the socket's single reference twice and freeing the xfrm_dst bundle while
> it is still referenced:
> 
>   BUG: KASAN: slab-use-after-free in dst_release
>   Write of size 4 at addr ffff88801897b6c0 by task exploit/155
>   Call Trace:
>    ...
>    dst_release (... ./include/linux/rcuref.h:109)
>    xfrm_user_policy (./include/net/sock.h:2239 ./include/net/sock.h:2256 net/xfrm/xfrm_state.c:3053)
>    do_ip_setsockopt (net/ipv4/ip_sockglue.c:1347)
>    ip_setsockopt (net/ipv4/ip_sockglue.c:1417)
>    do_sock_setsockopt (net/socket.c:2368)
>    __sys_setsockopt (net/socket.c:2393)
>    __x64_sys_setsockopt (net/socket.c:2396)
>    do_syscall_64 (arch/x86/entry/syscall_64.c:94)
>    entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
> 
> Reachable by an unprivileged user via a user+network namespace.
> 
> Use the atomic sk_dst_reset() so the cache is cleared and released with a
> single xchg(): whichever side wins releases the dst once, the other sees
> NULL and does nothing. Behaviour is otherwise unchanged.
> 
> Fixes: 2b06cdf3e688 ("xfrm: Clear sk_dst_cache when applying per-socket policy.")
> Fixes: be8f8284cd89 ("net: xfrm: allow clearing socket xfrm policies.")
> Reported-by: AutonomousCodeSecurity@microsoft.com
> Signed-off-by: Xiang Mei (Microsoft) <xmei5@asu.edu>

Applied, thanks a lot!

  reply	other threads:[~2026-07-06  6:14 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-27  2:40 [PATCH ipsec] xfrm: fix sk_dst_cache double-free in xfrm_user_policy() Xiang Mei (Microsoft)
2026-07-06  6:14 ` Steffen Klassert [this message]
2026-07-06 17:32   ` Xiang Mei

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aktHvEy7JC-eGClA@secunet.com \
    --to=steffen.klassert@secunet.com \
    --cc=AutonomousCodeSecurity@microsoft.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=kuba@kernel.org \
    --cc=kys@microsoft.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=tgopinath@linux.microsoft.com \
    --cc=xmei5@asu.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.