netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [Consult]kernel tcp socket lack of refcnt for net may cause uaf problem?
@ 2023-12-19 13:44 mengkanglai
  2023-12-19 15:09 ` Kuniyuki Iwashima
  0 siblings, 1 reply; 2+ messages in thread
From: mengkanglai @ 2023-12-19 13:44 UTC (permalink / raw)
  To: David S. Miller, David Ahern, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, netdev@vger.kernel.org, linux-kernel@vger.kernel.org
  Cc: Fengtao (fengtao, Euler), Yanan (Euler)

Hello, Eric:

I found upstream have fixed a UAF issue (smc: Fix use-after-free in tcp_write_timer_handler()): 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9744d2bf19762703704ecba885b7ac282c02eacf

When create a kernel socket use sock_create_kern , it won't call get_net() to increase refcnt for net where the socket is located.
I found some other subsystem(like rds and sunrpc) also use sock_create_kern to create kernel tcp socket, I want to know if they have same UAF problem?

Best wishes!


^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [Consult]kernel tcp socket lack of refcnt for net may cause uaf problem?
  2023-12-19 13:44 [Consult]kernel tcp socket lack of refcnt for net may cause uaf problem? mengkanglai
@ 2023-12-19 15:09 ` Kuniyuki Iwashima
  0 siblings, 0 replies; 2+ messages in thread
From: Kuniyuki Iwashima @ 2023-12-19 15:09 UTC (permalink / raw)
  To: mengkanglai2
  Cc: davem, dsahern, edumazet, fengtao40, kuba, linux-kernel, netdev,
	pabeni, yanan, kuniyu

From: mengkanglai <mengkanglai2@huawei.com>
Date: Tue, 19 Dec 2023 13:44:36 +0000
> Hello, Eric:
> 
> I found upstream have fixed a UAF issue (smc: Fix use-after-free in
> tcp_write_timer_handler()):
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9744d2bf19762703704ecba885b7ac282c02eacf
> 
> When create a kernel socket use sock_create_kern , it won't call get_net()
> to increase refcnt for net where the socket is located.
> I found some other subsystem(like rds and sunrpc) also use sock_create_kern
> to create kernel tcp socket, I want to know if they have same UAF problem?

You need to check if the subsystem itself holds net refcnt (not per socket)
and if it waits for TCP timer to be fired before destroying a socket.

It seems that runrpc holds net refcnt (xprt_net) and rds holds per-socket
net refcnt.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-12-19 15:09 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-12-19 13:44 [Consult]kernel tcp socket lack of refcnt for net may cause uaf problem? mengkanglai
2023-12-19 15:09 ` Kuniyuki Iwashima

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).