From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
To: Jakub Kicinski <kuba@kernel.org>
Cc: Kleber Sacilotto de Souza <kleber.souza@canonical.com>,
Eric Dumazet <edumazet@google.com>,
netdev@vger.kernel.org, Gerrit Renker <gerrit@erg.abdn.ac.uk>,
"David S. Miller" <davem@davemloft.net>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
"Alexander A. Klimov" <grandmaster@al2klimov.de>,
Kees Cook <keescook@chromium.org>,
Alexey Kodanev <alexey.kodanev@oracle.com>,
dccp@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] dccp: ccid: move timers to struct dccp_sock
Date: Tue, 10 Nov 2020 08:19:32 -0300 [thread overview]
Message-ID: <20201110111932.GS595944@mussarela> (raw)
In-Reply-To: <20201109141553.30e9d502@kicinski-fedora-PC1C0HJN.hsd1.ca.comcast.net>
On Mon, Nov 09, 2020 at 02:15:53PM -0800, Jakub Kicinski wrote:
> On Mon, 9 Nov 2020 18:31:34 -0300 Thadeu Lima de Souza Cascardo wrote:
> > > Which paths are those (my memory of this code is waning)? I thought
> > > disconnect is only called from the user space side (shutdown syscall).
> > > The only other way to terminate the connection is to close the socket,
> > > which Eric already fixed by postponing the destruction of ccid in that
> > > case.
> >
> > dccp_v4_do_rcv -> dccp_rcv_established -> dccp_parse_options ->
> > dccp_feat_parse_options -> dccp_feat_handle_nn_established ->
> > dccp_feat_activate -> __dccp_feat_activate -> dccp_hdlr_ccid ->
> > ccid_hc_tx_delete
>
> Well, that's not a disconnect path.
>
> There should be no CCID on a disconnected socket, tho, right? Otherwise
> if we can switch from one active CCID to another then reusing a single
> timer in struct dccp_sock for both is definitely not safe as I
> explained in my initial email.
Yeah, I agree with your initial email. The patch I submitted for that fix needs
rework, which is what I tried and failed so far. I need to get back to some
testing of my latest fix and find out what needs fixing there.
But I am also saying that simply doing a del_timer_sync on disconnect paths
won't do, because there are non-disconnect paths where there is a CCID that we
will remove and replace and that will still trigger a timer UAF.
So I have been working on a fix that involves a refcnt on ccid itself. But I
want to test that it really fixes the problem and I have spent most of the time
finding out a way to trigger the timer in a race with the disconnect path.
And that same test has showed me that this timer UAF will happen regardless of
commit 2677d20677314101293e6da0094ede7b5526d2b1, which led me into stating that
reverting it should be done in any case.
I think I can find some time this week to work a little further on the fix for
the time UAF.
Thanks.
Cascardo.
next prev parent reply other threads:[~2020-11-10 11:19 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-13 17:18 [PATCH 0/2] net: dccp: fix structure use-after-free Kleber Sacilotto de Souza
2020-10-13 17:18 ` [PATCH 1/2] dccp: ccid: move timers to struct dccp_sock Kleber Sacilotto de Souza
2020-10-13 18:58 ` Richard Sailer
2020-10-15 3:43 ` Jakub Kicinski
2020-10-15 10:53 ` Thadeu Lima de Souza Cascardo
2020-10-16 22:30 ` Jakub Kicinski
2020-11-09 11:48 ` Thadeu Lima de Souza Cascardo
2020-11-09 17:49 ` Jakub Kicinski
2020-11-09 21:09 ` Thadeu Lima de Souza Cascardo
2020-11-09 21:15 ` Jakub Kicinski
2020-11-09 21:31 ` Thadeu Lima de Souza Cascardo
2020-11-09 22:15 ` Jakub Kicinski
2020-11-10 11:19 ` Thadeu Lima de Souza Cascardo [this message]
2020-11-10 16:16 ` Jakub Kicinski
2020-10-13 17:18 ` [PATCH 2/2] Revert "dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()" Kleber Sacilotto de Souza
2020-10-13 18:59 ` Richard Sailer
2020-10-15 3:42 ` Jakub Kicinski
2020-10-15 9:23 ` Kleber Souza
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201110111932.GS595944@mussarela \
--to=cascardo@canonical.com \
--cc=alexey.kodanev@oracle.com \
--cc=davem@davemloft.net \
--cc=dccp@vger.kernel.org \
--cc=edumazet@google.com \
--cc=gerrit@erg.abdn.ac.uk \
--cc=grandmaster@al2klimov.de \
--cc=gustavoars@kernel.org \
--cc=keescook@chromium.org \
--cc=kleber.souza@canonical.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).