From: Tim Chen <tim.c.chen@linux.intel.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: sedat.dilek@gmail.com, "Yan, Zheng" <zheng.z.yan@intel.com>,
"Yan, Zheng" <yanzheng@21cn.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"davem@davemloft.net" <davem@davemloft.net>,
"sfr@canb.auug.org.au" <sfr@canb.auug.org.au>,
"jirislaby@gmail.com" <jirislaby@gmail.com>,
"Shi, Alex" <alex.shi@intel.com>,
Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
Subject: Re: [PATCH net-next] af_unix: fix use after free in unix_stream_recvmsg()
Date: Fri, 09 Sep 2011 03:39:58 -0700 [thread overview]
Message-ID: <1315564798.2363.37.camel@schen9-mobl> (raw)
In-Reply-To: <1315555109.2294.9.camel@edumazet-HP-Compaq-6005-Pro-SFF-PC>
On Fri, 2011-09-09 at 09:58 +0200, Eric Dumazet wrote:
> Le vendredi 09 septembre 2011 à 08:51 +0200, Eric Dumazet a écrit :
>
> > Now we have to fix a bug in unix_stream_recvmsg() as well.
> >
> > consume_skb() call actually releases pid/cred references, and we can use
> > them after their eventual freeing.
> >
> > Keep also in mind that receiver can provides a too short user buffer,
> > and skb can be put back to head of sk_receive_queue
> >
>
> Here is the patch to address this point.
>
> Apply it after (af_unix: Fix use-after-free crashes)
>
> I can make a combo patch once everybody agrees.
>
> [PATCH net-next] af_unix: fix use after free in unix_stream_recvmsg()
>
> Commit 0856a30409 (Scm: Remove unnecessary pid & credential references
> in Unix socket's send and receive path) introduced an use-after-free
> bug in unix_stream_recvmsg().
>
> We should call consume_skb(skb) only after our possible use of pid/cred.
>
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
> ---
> net/unix/af_unix.c | 13 +++++++++----
> 1 file changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
> index c8a08ba..1bd4ecf 100644
> --- a/net/unix/af_unix.c
> +++ b/net/unix/af_unix.c
> @@ -1873,6 +1873,7 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
> int target;
> int err = 0;
> long timeo;
> + struct sk_buff *skb;
>
> err = -EINVAL;
> if (sk->sk_state != TCP_ESTABLISHED)
> @@ -1904,7 +1905,6 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
>
> do {
> int chunk;
> - struct sk_buff *skb;
>
> unix_state_lock(sk);
> skb = skb_dequeue(&sk->sk_receive_queue);
> @@ -1949,6 +1949,7 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
> if ((UNIXCB(skb).pid != siocb->scm->pid) ||
> (UNIXCB(skb).cred != siocb->scm->cred)) {
> skb_queue_head(&sk->sk_receive_queue, skb);
> + skb = NULL;
> break;
> }
> } else {
> @@ -1967,6 +1968,7 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
> chunk = min_t(unsigned int, skb->len, size);
> if (memcpy_toiovec(msg->msg_iov, skb->data, chunk)) {
> skb_queue_head(&sk->sk_receive_queue, skb);
> + skb = NULL;
> if (copied == 0)
> copied = -EFAULT;
> break;
> @@ -1984,13 +1986,14 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
> /* put the skb back if we didn't use it up.. */
> if (skb->len) {
> skb_queue_head(&sk->sk_receive_queue, skb);
> + skb = NULL;
> break;
> }
>
> - consume_skb(skb);
> -
> - if (siocb->scm->fp)
> + if (UNIXCB(skb).pid || siocb->scm->fp)
> break;
> + consume_skb(skb);
> + skb = NULL;
> } else {
> /* It is questionable, see note in unix_dgram_recvmsg.
> */
> @@ -1999,12 +2002,14 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
>
> /* put message back and return */
> skb_queue_head(&sk->sk_receive_queue, skb);
> + skb = NULL;
> break;
> }
> } while (size);
>
> mutex_unlock(&u->readlock);
> scm_recv(sock, msg, siocb->scm, flags);
> + consume_skb(skb);
> out:
> return copied ? : err;
> }
>
>
Acked-by: Tim Chen <tim.c.chen@linux.intel.com>
next prev parent reply other threads:[~2011-09-09 17:40 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-04 5:44 [PATCH -next v2] unix stream: Fix use-after-free crashes Yan, Zheng
2011-09-04 7:12 ` Sedat Dilek
2011-09-04 8:23 ` Yan, Zheng
2011-09-04 15:50 ` Joe Perches
2011-09-06 16:39 ` Tim Chen
2011-09-06 16:25 ` Tim Chen
2011-09-06 17:40 ` Eric Dumazet
2011-09-06 18:50 ` Tim Chen
2011-09-06 19:01 ` Eric Dumazet
2011-09-06 19:33 ` Tim Chen
2011-09-06 19:43 ` Eric Dumazet
2011-09-06 19:59 ` Tim Chen
2011-09-06 20:19 ` Eric Dumazet
2011-09-06 22:08 ` Tim Chen
2011-09-07 2:35 ` Eric Dumazet
2011-09-06 23:09 ` Yan, Zheng
2011-09-07 2:55 ` Eric Dumazet
2011-09-16 23:35 ` David Miller
2011-09-16 16:50 ` Tim Chen
2011-09-19 7:57 ` Eric Dumazet
2011-09-07 4:36 ` Yan, Zheng
2011-09-07 5:08 ` Eric Dumazet
2011-09-07 5:20 ` Yan, Zheng
[not found] ` <1315381503.3400.85.camel@edumazet-laptop>
2011-09-07 12:01 ` Tim Chen
2011-09-07 20:12 ` Sedat Dilek
2011-09-07 20:30 ` Sedat Dilek
2011-09-07 14:37 ` Tim Chen
2011-09-08 0:27 ` Yan, Zheng
2011-09-07 21:06 ` Tim Chen
2011-09-07 21:15 ` Tim Chen
2011-09-08 6:21 ` Eric Dumazet
2011-09-08 4:18 ` Yan, Zheng
2011-09-08 5:59 ` Eric Dumazet
2011-09-08 6:22 ` Yan, Zheng
2011-09-08 7:11 ` Eric Dumazet
2011-09-08 7:23 ` Yan, Zheng
2011-09-08 7:33 ` Eric Dumazet
2011-09-08 9:59 ` Sedat Dilek
2011-09-08 13:21 ` [PATCH net-next v3] af_unix: " Eric Dumazet
2011-09-08 8:37 ` Tim Chen
2011-09-09 6:51 ` Eric Dumazet
2011-09-09 7:58 ` [PATCH net-next] af_unix: fix use after free in unix_stream_recvmsg() Eric Dumazet
2011-09-09 10:39 ` Tim Chen [this message]
2011-09-09 10:41 ` [PATCH net-next v3] af_unix: Fix use-after-free crashes Tim Chen
2011-09-08 7:56 ` [PATCH -next v2] unix stream: " Jiri Slaby
2011-09-08 8:43 ` Sedat Dilek
2011-09-08 7:02 ` Sedat Dilek
2011-09-07 21:26 ` Eric Dumazet
2011-09-08 13:28 ` Eric Dumazet
2011-09-08 9:24 ` Tim Chen
2011-09-09 5:06 ` [PATCH net-next] af_unix: dont send SCM_CREDENTIALS by default Eric Dumazet
2011-09-12 19:15 ` Tim Chen
2011-09-19 1:07 ` David Miller
2011-09-19 4:28 ` Eric Dumazet
2011-09-19 15:02 ` Eric Dumazet
2011-09-19 15:52 ` [PATCH v2 " Eric Dumazet
2011-09-19 21:39 ` Tim Chen
2011-09-20 2:10 ` Valdis.Kletnieks
2011-09-20 4:16 ` Eric Dumazet
2011-09-22 16:15 ` tim
2011-11-28 13:23 ` Michal Schmidt
2011-11-28 13:38 ` Eric Dumazet
2011-09-28 17:30 ` David Miller
2011-09-08 10:05 ` [PATCH -next v2] unix stream: Fix use-after-free crashes Sedat Dilek
2011-09-08 8:50 ` Tim Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1315564798.2363.37.camel@schen9-mobl \
--to=tim.c.chen@linux.intel.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=alex.shi@intel.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=jirislaby@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=sedat.dilek@gmail.com \
--cc=sfr@canb.auug.org.au \
--cc=yanzheng@21cn.com \
--cc=zheng.z.yan@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).