From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
To: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Jason Baron <jbaron@akamai.com>,
davem@davemloft.net, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, minipli@googlemail.com,
normalperson@yhbt.net, eric.dumazet@gmail.com,
rweikusat@mobileactivedefense.com, viro@zeniv.linux.org.uk,
davidel@xmailserver.org, dave@stgolabs.net, olivier@mauras.ch,
pageexec@freemail.hu, torvalds@linux-foundation.org,
peterz@infradead.org, joe@perches.com
Subject: Re: [PATCH v4 1/3] net: unix: fix use-after-free in unix_dgram_poll()
Date: Sun, 11 Oct 2015 14:30:58 +0100 [thread overview]
Message-ID: <87r3l1cz1p.fsf@doppelsaurus.mobileactivedefense.com> (raw)
In-Reply-To: <87io6gayze.fsf@stressinduktion.org> (Hannes Frederic Sowa's message of "Fri, 09 Oct 2015 16:38:29 +0200")
Hannes Frederic Sowa <hannes@stressinduktion.org> writes:
> Jason Baron <jbaron@akamai.com> writes:
>
>> The unix_dgram_poll() routine calls sock_poll_wait() not only for the wait
>> queue associated with the socket s that we are poll'ing against, but also calls
>> sock_poll_wait() for a remote peer socket p, if it is connected. Thus,
>> if we call poll()/select()/epoll() for the socket s, there are then
>> a couple of code paths in which the remote peer socket p and its associated
>> peer_wait queue can be freed before poll()/select()/epoll() have a chance
>> to remove themselves from the remote peer socket.
>>
>> The way that remote peer socket can be freed are:
>>
>> 1. If s calls connect() to a connect to a new socket other than p, it will
>> drop its reference on p, and thus a close() on p will free it.
>>
>> 2. If we call close on p(), then a subsequent sendmsg() from s, will drop
>> the final reference to p, allowing it to be freed.
>>
>> Address this issue, by reverting unix_dgram_poll() to only register with
>> the wait queue associated with s and register a callback with the remote peer
>> socket on connect() that will wake up the wait queue associated with s. If
>> scenarios 1 or 2 occur above we then simply remove the callback from the
>> remote peer. This then presents the expected semantics to poll()/select()/
>> epoll().
>>
>> I've implemented this for sock-type, SOCK_RAW, SOCK_DGRAM, and SOCK_SEQPACKET
>> but not for SOCK_STREAM, since SOCK_STREAM does not use unix_dgram_poll().
>>
>> Introduced in commit ec0d215f9420 ("af_unix: fix 'poll for write'/connected
>> DGRAM sockets").
>>
>> Tested-by: Mathias Krause <minipli@googlemail.com>
>> Signed-off-by: Jason Baron <jbaron@akamai.com>
>
> While I think this approach works, I haven't seen where the current code
> leaks a reference.
It doesn't "leak a reference" (strictly). It possibly registers a wait queue with
whatever invoked the poll-routine which belongs to the peer socket of
the socket poll was called on. And the inherent problem with that is
that the lifetime of the peer socket is not necessarily the same as
the lifetime of the polled socket. If the polled socket is disconnected
from its peer while still being polled (or registered for being
polled), the former peer may be freed despite the polling code (of whatever
provenience) still references the peer_wait member of the unix socket
structure for this socket.
As pointed out in the original mail, two ways for this to happen is to
call connect on the polled socket or cause a unix_dgram_sendmsg call
on that after the peer socket was closed.
next prev parent reply other threads:[~2015-10-11 13:30 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-09 4:15 [PATCH v4 0/3] net: unix: fix use-after-free Jason Baron
2015-10-09 4:16 ` [PATCH v4 1/3] net: unix: fix use-after-free in unix_dgram_poll() Jason Baron
2015-10-09 14:38 ` Hannes Frederic Sowa
2015-10-11 13:30 ` Rainer Weikusat [this message]
2015-10-12 19:41 ` Jason Baron
2015-10-13 11:42 ` Hannes Frederic Sowa
2015-10-09 4:16 ` [PATCH v4 2/3] net: unix: Convert gc_flags to flags Jason Baron
2015-10-09 4:16 ` [PATCH v4 3/3] net: unix: optimize wakeups in unix_dgram_recvmsg() Jason Baron
2015-10-09 4:29 ` kbuild test robot
2015-10-09 15:12 ` Jason Baron
2015-10-11 11:55 ` [PATCH v4 0/3] net: unix: fix use-after-free David Miller
2015-10-12 12:54 ` Rainer Weikusat
2015-10-12 13:36 ` Eric Dumazet
2015-10-12 19:50 ` Jason Baron
2015-10-13 1:47 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r3l1cz1p.fsf@doppelsaurus.mobileactivedefense.com \
--to=rweikusat@mobileactivedefense.com \
--cc=dave@stgolabs.net \
--cc=davem@davemloft.net \
--cc=davidel@xmailserver.org \
--cc=eric.dumazet@gmail.com \
--cc=hannes@stressinduktion.org \
--cc=jbaron@akamai.com \
--cc=joe@perches.com \
--cc=linux-kernel@vger.kernel.org \
--cc=minipli@googlemail.com \
--cc=netdev@vger.kernel.org \
--cc=normalperson@yhbt.net \
--cc=olivier@mauras.ch \
--cc=pageexec@freemail.hu \
--cc=peterz@infradead.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).