From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Ben Hutchings <ben@decadent.org.uk>
Cc: Sasha Levin <sashal@kernel.org>,
stable@vger.kernel.org,
Denis Andzakovic <denis.andzakovic@pulsesecurity.co.nz>,
Salvatore Bonaccorso <carnil@debian.org>,
Eric Dumazet <edumazet@google.com>
Subject: Re: [PATCH 3.16-4.14] tcp: Clear sk_send_head after purging the write queue
Date: Tue, 13 Aug 2019 20:33:48 +0200 [thread overview]
Message-ID: <20190813183348.GB6582@kroah.com> (raw)
In-Reply-To: <20190813115317.6cgml2mckd3c6u7z@decadent.org.uk>
On Tue, Aug 13, 2019 at 12:53:17PM +0100, Ben Hutchings wrote:
> Denis Andzakovic discovered a potential use-after-free in older kernel
> versions, using syzkaller. tcp_write_queue_purge() frees all skbs in
> the TCP write queue and can leave sk->sk_send_head pointing to freed
> memory. tcp_disconnect() clears that pointer after calling
> tcp_write_queue_purge(), but tcp_connect() does not. It is
> (surprisingly) possible to add to the write queue between
> disconnection and reconnection, so this needs to be done in both
> places.
>
> This bug was introduced by backports of commit 7f582b248d0a ("tcp:
> purge write queue in tcp_connect_init()") and does not exist upstream
> because of earlier changes in commit 75c119afe14f ("tcp: implement
> rb-tree based retransmit queue"). The latter is a major change that's
> not suitable for stable.
>
> Reported-by: Denis Andzakovic <denis.andzakovic@pulsesecurity.co.nz>
> Bisected-by: Salvatore Bonaccorso <carnil@debian.org>
> Fixes: 7f582b248d0a ("tcp: purge write queue in tcp_connect_init()")
> Cc: <stable@vger.kernel.org> # before 4.15
> Cc: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
> include/net/tcp.h | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/include/net/tcp.h b/include/net/tcp.h
> index fed2a78fb8cb..f9b985d4d779 100644
> --- a/include/net/tcp.h
> +++ b/include/net/tcp.h
> @@ -1517,6 +1517,8 @@ struct tcp_fastopen_context {
> struct rcu_head rcu;
> };
>
> +static inline void tcp_init_send_head(struct sock *sk);
> +
> /* write queue abstraction */
> static inline void tcp_write_queue_purge(struct sock *sk)
> {
> @@ -1524,6 +1526,7 @@ static inline void tcp_write_queue_purge(struct sock *sk)
>
> while ((skb = __skb_dequeue(&sk->sk_write_queue)) != NULL)
> sk_wmem_free_skb(sk, skb);
> + tcp_init_send_head(sk);
> sk_mem_reclaim(sk);
> tcp_clear_all_retrans_hints(tcp_sk(sk));
> inet_csk(sk)->icsk_backoff = 0;
Nice catch, thanks for this. Now queued up everywhere.
greg k-h
next prev parent reply other threads:[~2019-08-13 18:33 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-13 11:53 [PATCH 3.16-4.14] tcp: Clear sk_send_head after purging the write queue Ben Hutchings
2019-08-13 18:33 ` Greg Kroah-Hartman [this message]
2019-08-20 2:11 ` Ben Hutchings
2019-08-20 13:27 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190813183348.GB6582@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=ben@decadent.org.uk \
--cc=carnil@debian.org \
--cc=denis.andzakovic@pulsesecurity.co.nz \
--cc=edumazet@google.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).