Re: [PATCH net] sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket

Netdev List
 help / color / mirror / Atom feed

From: Trond Myklebust <trondmy@hammerspace.com>
To: "liujian56@huawei.com" <liujian56@huawei.com>,
	"kuniyu@amazon.com" <kuniyu@amazon.com>
Cc: "tom@talpey.com" <tom@talpey.com>,
	"davem@davemloft.net" <davem@davemloft.net>,
	"ebiederm@xmission.com" <ebiederm@xmission.com>,
	"chuck.lever@oracle.com" <chuck.lever@oracle.com>,
	"pabeni@redhat.com" <pabeni@redhat.com>,
	"okorniev@redhat.com" <okorniev@redhat.com>,
	"anna@kernel.org" <anna@kernel.org>,
	"kuba@kernel.org" <kuba@kernel.org>,
	"jlayton@kernel.org" <jlayton@kernel.org>,
	"Dai.Ngo@oracle.com" <Dai.Ngo@oracle.com>,
	"edumazet@google.com" <edumazet@google.com>,
	"neilb@suse.de" <neilb@suse.de>,
	"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
	"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: [PATCH net] sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket
Date: Sat, 26 Oct 2024 00:35:30 +0000	[thread overview]
Message-ID: <0e434c61120b5b4a530731260c0f2c72ad02fa6f.camel@hammerspace.com> (raw)
In-Reply-To: <20241025212038.31584-1-kuniyu@amazon.com>

On Fri, 2024-10-25 at 14:20 -0700, Kuniyuki Iwashima wrote:
> From: "liujian (CE)" <liujian56@huawei.com>
> Date: Fri, 25 Oct 2024 11:32:52 +0800
> > > > > If not, then what prevents it from happening?
> > > > The socket created by the userspace program obtains the
> > > > reference
> > > > counting of the namespace, but the kernel socket does not.
> > > > 
> > > > There's some discussion here:
> > > > https://lore.kernel.org/all/CANn89iJE5anTbyLJ0TdGAqGsE+GichY3YzQECjNUVMz=G3bcQg@mail.gmail.com/
> > > OK... So then it looks to me as if NFS, SMB, AFS, and any other
> > > networked filesystem that can be started from inside a container
> > > is
> > > going to need to do the same thing that rds appears to be doing.
> 
> FWIW, recently we saw a similar UAF on CIFS.
> 
> 
> > > 
> > > Should there perhaps be a helper function in the networking layer
> > > for
> > > this?
> > 
> > There should be no such helper function at present, right?.
> > 
> > If get net's reference to fix this problem, the following test is 
> > performed. There's nothing wrong with this case. I don't know if
> > there's 
> > anything else to consider.
> > 
> > I don't have any other ideas other than these two methods. Do you
> > have 
> > any suggestions on this problem? @Eric @Jakub ... @All
> 
> The netns lifetime should be managed by the upper layer rather than
> the networking layer.  If the netns is already dead, the upper layer
> must discard the net pointer anyway.
> 
> I suggest checking maybe_get_net() in NFS, CIFS, etc and then calling
> __sock_create() with kern 0.
> 

Thanks for the suggestion, but we already manage the netns lifetime in
the RPC layer. A reference is taken when the filesystem is being
mounted. It is dropped when the filesystem is being unmounted.

The problem is the TCP timer races on shutdown. There is no interest in
having to manage that in the RPC layer.



-- 
Trond Myklebust
Linux NFS client maintainer, Hammerspace
trond.myklebust@hammerspace.com

next prev parent reply	other threads:[~2024-10-26  0:35 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-10-24  1:55 [PATCH net] sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket Liu Jian
2024-10-24  2:20 ` Trond Myklebust
2024-10-24 12:57   ` Trond Myklebust
2024-10-24 13:40     ` liujian (CE)
2024-10-24 13:57       ` Trond Myklebust
2024-10-25  3:32         ` liujian (CE)
2024-10-25 21:20           ` Kuniyuki Iwashima
2024-10-26  0:35             ` Trond Myklebust [this message]
2024-10-26  0:48               ` Kuniyuki Iwashima
2024-10-26  1:31                 ` liujian (CE)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0e434c61120b5b4a530731260c0f2c72ad02fa6f.camel@hammerspace.com \
    --to=trondmy@hammerspace.com \
    --cc=Dai.Ngo@oracle.com \
    --cc=anna@kernel.org \
    --cc=chuck.lever@oracle.com \
    --cc=davem@davemloft.net \
    --cc=ebiederm@xmission.com \
    --cc=edumazet@google.com \
    --cc=jlayton@kernel.org \
    --cc=kuba@kernel.org \
    --cc=kuniyu@amazon.com \
    --cc=linux-nfs@vger.kernel.org \
    --cc=liujian56@huawei.com \
    --cc=neilb@suse.de \
    --cc=netdev@vger.kernel.org \
    --cc=okorniev@redhat.com \
    --cc=pabeni@redhat.com \
    --cc=tom@talpey.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox