From: Kuniyuki Iwashima <kuni1840@gmail.com>
To: paul@paul-moore.com
Cc: davem@davemloft.net, dsahern@kernel.org, edumazet@google.com,
horms@kernel.org, huw@codeweavers.com, john.cs.hey@gmail.com,
kuba@kernel.org, kuni1840@gmail.com, kuniyu@google.com,
linux-security-module@vger.kernel.org, netdev@vger.kernel.org,
pabeni@redhat.com, syzkaller@googlegroups.com
Subject: Re: [PATCH v1 net] calipso: Fix null-ptr-deref in calipso_req_{set,del}attr().
Date: Tue, 17 Jun 2025 14:22:36 -0700 [thread overview]
Message-ID: <20250617212334.1910048-1-kuni1840@gmail.com> (raw)
In-Reply-To: <CAHC9VhTPymjNwkz9FHFHQbbRMgjMQT80zj1aT+3CFDVY=Eo5wg@mail.gmail.com>
From: Paul Moore <paul@paul-moore.com>
Date: Tue, 17 Jun 2025 17:04:18 -0400
> On Mon, Jun 16, 2025 at 1:26 PM Kuniyuki Iwashima <kuni1840@gmail.com> wrote:
> >
> > From: Kuniyuki Iwashima <kuniyu@google.com>
> >
> > syzkaller reported a null-ptr-deref in sock_omalloc() while allocating
> > a CALIPSO option. [0]
> >
> > The NULL is of struct sock, which was fetched by sk_to_full_sk() in
> > calipso_req_setattr().
> >
> > Since commit a1a5344ddbe8 ("tcp: avoid two atomic ops for syncookies"),
> > reqsk->rsk_listener could be NULL when SYN Cookie is returned to its
> > client, as hinted by the leading SYN Cookie log.
> >
> > Here are 3 options to fix the bug:
> >
> > 1) Return 0 in calipso_req_setattr()
> > 2) Return an error in calipso_req_setattr()
> > 3) Alaways set rsk_listener
> >
> > 1) is no go as it bypasses LSM, but 2) effectively disables SYN Cookie
> > for CALIPSO. 3) is also no go as there have been many efforts to reduce
> > atomic ops and make TCP robust against DDoS. See also commit 3b24d854cb35
> > ("tcp/dccp: do not touch listener sk_refcnt under synflood").
> >
> > As of the blamed commit, SYN Cookie already did not need refcounting,
> > and no one has stumbled on the bug for 9 years, so no CALIPSO user will
> > care about SYN Cookie.
> >
> > Let's return an error in calipso_req_setattr() and calipso_req_delattr()
> > in the SYN Cookie case.
>
> I think that's reasonable, but I think it would be nice to have a
> quick comment right before the '!sk' checks to help people who may hit
> the CALIPSO/SYN-cookie issue in the future. Maybe "/*
> tcp_syncookies=2 can result in sk == NULL */" ?
tcp_syncookies=1 enables SYN cookie and =2 forces it for every request.
I just used =2 to reproduce the issue without SYN flooding, so it would
be /* sk is NULL for SYN+ACK w/ SYN Cookie */
But I think no one will hit it (at least so for 9 years) and wonder why
because SYN could be dropped randomly under such a event.
next prev parent reply other threads:[~2025-06-17 21:23 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-16 17:25 [PATCH v1 net] calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() Kuniyuki Iwashima
2025-06-17 21:04 ` Paul Moore
2025-06-17 21:22 ` Kuniyuki Iwashima [this message]
2025-06-17 22:08 ` Paul Moore
2025-06-17 22:35 ` Kuniyuki Iwashima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250617212334.1910048-1-kuni1840@gmail.com \
--to=kuni1840@gmail.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=huw@codeweavers.com \
--cc=john.cs.hey@gmail.com \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=paul@paul-moore.com \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).