From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755821AbcBPRzD (ORCPT ); Tue, 16 Feb 2016 12:55:03 -0500 Received: from shards.monkeyblade.net ([149.20.54.216]:37965 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755374AbcBPRzB (ORCPT ); Tue, 16 Feb 2016 12:55:01 -0500 Date: Tue, 16 Feb 2016 12:54:58 -0500 (EST) Message-Id: <20160216.125458.1817148468081256050.davem@davemloft.net> To: rweikusat@mobileactivedefense.com Cc: ben@decadent.org.uk, pmhahn@pmhahn.de, hannes@stressinduktion.org, sasha.levin@oracle.com, linux-kernel@vger.kernel.org, kseeger@samba.org, jbaron@akamai.com, gregkh@linuxfoundation.org, requate@univention.de, gohmann@univention.de, netdev@vger.kernel.org Subject: Re: [PATCH net] af_unix: Guard against other == sk in unix_dgram_sendmsg From: David Miller In-Reply-To: <87r3gj11jc.fsf_-_@doppelsaurus.mobileactivedefense.com> References: <87r3gjjgbu.fsf@doppelsaurus.mobileactivedefense.com> <87egcjcd5j.fsf@doppelsaurus.mobileactivedefense.com> <87r3gj11jc.fsf_-_@doppelsaurus.mobileactivedefense.com> X-Mailer: Mew version 6.6 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Tue, 16 Feb 2016 09:55:01 -0800 (PST) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Rainer Weikusat Date: Thu, 11 Feb 2016 19:37:27 +0000 > The unix_dgram_sendmsg routine use the following test > > if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { > > to determine if sk and other are in an n:1 association (either > established via connect or by using sendto to send messages to an > unrelated socket identified by address). This isn't correct as the > specified address could have been bound to the sending socket itself or > because this socket could have been connected to itself by the time of > the unix_peer_get but disconnected before the unix_state_lock(other). In > both cases, the if-block would be entered despite other == sk which > might either block the sender unintentionally or lead to trying to unlock > the same spin lock twice for a non-blocking send. Add a other != sk > check to guard against this. > > Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue") > Reported-By: Philipp Hahn > Signed-off-by: Rainer Weikusat Also applied and queued up for -stable, thanks.