From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752583AbbLIQds (ORCPT ); Wed, 9 Dec 2015 11:33:48 -0500 Received: from smtp-out6.electric.net ([192.162.217.194]:51607 "EHLO smtp-out6.electric.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751779AbbLIQdq (ORCPT ); Wed, 9 Dec 2015 11:33:46 -0500 From: David Laight To: "'Eric Dumazet'" CC: Eric Dumazet , Marcelo Ricardo Leitner , Dmitry Vyukov , "David S. Miller" , Alexey Kuznetsov , "James Morris" , Hideaki YOSHIFUJI , Patrick McHardy , netdev , LKML , Vlad Yasevich , "Neil Horman" , "linux-sctp@vger.kernel.org" , syzkaller , "Kostya Serebryany" , Alexander Potapenko , "Sasha Levin" Subject: RE: [PATCH net] ipv6: sctp: clone options to avoid use after free Thread-Topic: [PATCH net] ipv6: sctp: clone options to avoid use after free Thread-Index: AQHRMpWwjulvUpSDiUGGxL2XGNkOVJ7Cy09wgAAEwACAAAg0QA== Date: Wed, 9 Dec 2015 16:31:49 +0000 Message-ID: <063D6719AE5E284EB5DD2968C1650D6D1CBE9B1C@AcuExch.aculab.com> References: <20151209145917.GA3884@mrl.redhat.com> <1449674706.9768.5.camel@edumazet-glaptop2.roam.corp.google.com> <063D6719AE5E284EB5DD2968C1650D6D1CBE9A61@AcuExch.aculab.com> <1449676782.9768.9.camel@edumazet-glaptop2.roam.corp.google.com> In-Reply-To: <1449676782.9768.9.camel@edumazet-glaptop2.roam.corp.google.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.202.99.200] Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 X-Outbound-IP: 213.249.233.130 X-Env-From: David.Laight@ACULAB.COM X-PolicySMART: 3396946, 3397078 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by mail.home.local id tB9GXrNx027147 From: Eric Dumazet [mailto:eric.dumazet@gmail.com] > Sent: 09 December 2015 16:00 > On Wed, 2015-12-09 at 15:49 +0000, David Laight wrote: > > > SCTP is lacking proper np->opt cloning at accept() time. > > > > > > TCP and DCCP use ipv6_dup_options() helper, do the same in SCTP. > > > > > > We might later factorize this code in a common helper to avoid > > > future mistakes. > > > > I'm wondering what the real impact of this and the other recent > > SCTP bugs/patches is on real workloads? > > We have enough trouble getting our customers to use kernels > > later that the 2.6.18 based RHEL5 - without having to persuade > > them to use kernels that contain very recent fixes. > > It all depends if your customers let (hostile ?) people run programs on > the boxes. If they require hostile programs I'm not worried. But it isn't entirely clear from these oops reports what the test program is actually doing. Some of them might be valid scenarios. Not that our code does anything clever. David {.n++%ݶw{.n+{G{ayʇڙ,jfhz_(階ݢj"mG?&~iOzv^m ?I From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Laight Subject: RE: [PATCH net] ipv6: sctp: clone options to avoid use after free Date: Wed, 9 Dec 2015 16:31:49 +0000 Message-ID: <063D6719AE5E284EB5DD2968C1650D6D1CBE9B1C@AcuExch.aculab.com> References: <20151209145917.GA3884@mrl.redhat.com> <1449674706.9768.5.camel@edumazet-glaptop2.roam.corp.google.com> <063D6719AE5E284EB5DD2968C1650D6D1CBE9A61@AcuExch.aculab.com> <1449676782.9768.9.camel@edumazet-glaptop2.roam.corp.google.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Cc: Eric Dumazet , Marcelo Ricardo Leitner , Dmitry Vyukov , "David S. Miller" , Alexey Kuznetsov , "James Morris" , Hideaki YOSHIFUJI , Patrick McHardy , netdev , LKML , Vlad Yasevich , "Neil Horman" , "linux-sctp@vger.kernel.org" , syzkaller , "Kostya Serebryany" , Alexander Potapenko , "Sasha Levin" To: 'Eric Dumazet' Return-path: In-Reply-To: <1449676782.9768.9.camel@edumazet-glaptop2.roam.corp.google.com> Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org RnJvbTogRXJpYyBEdW1hemV0IFttYWlsdG86ZXJpYy5kdW1hemV0QGdtYWlsLmNvbV0NCj4gU2Vu dDogMDkgRGVjZW1iZXIgMjAxNSAxNjowMA0KPiBPbiBXZWQsIDIwMTUtMTItMDkgYXQgMTU6NDkg KzAwMDAsIERhdmlkIExhaWdodCB3cm90ZToNCj4gPiA+IFNDVFAgaXMgbGFja2luZyBwcm9wZXIg bnAtPm9wdCBjbG9uaW5nIGF0IGFjY2VwdCgpIHRpbWUuDQo+ID4gPg0KPiA+ID4gVENQIGFuZCBE Q0NQIHVzZSBpcHY2X2R1cF9vcHRpb25zKCkgaGVscGVyLCBkbyB0aGUgc2FtZSBpbiBTQ1RQLg0K PiA+ID4NCj4gPiA+IFdlIG1pZ2h0IGxhdGVyIGZhY3Rvcml6ZSB0aGlzIGNvZGUgaW4gYSBjb21t b24gaGVscGVyIHRvIGF2b2lkDQo+ID4gPiBmdXR1cmUgbWlzdGFrZXMuDQo+ID4NCj4gPiBJJ20g d29uZGVyaW5nIHdoYXQgdGhlIHJlYWwgaW1wYWN0IG9mIHRoaXMgYW5kIHRoZSBvdGhlciByZWNl bnQNCj4gPiBTQ1RQIGJ1Z3MvcGF0Y2hlcyBpcyBvbiByZWFsIHdvcmtsb2Fkcz8NCj4gPiBXZSBo YXZlIGVub3VnaCB0cm91YmxlIGdldHRpbmcgb3VyIGN1c3RvbWVycyB0byB1c2Uga2VybmVscw0K PiA+IGxhdGVyIHRoYXQgdGhlIDIuNi4xOCBiYXNlZCBSSEVMNSAtIHdpdGhvdXQgaGF2aW5nIHRv IHBlcnN1YWRlDQo+ID4gdGhlbSB0byB1c2Uga2VybmVscyB0aGF0IGNvbnRhaW4gdmVyeSByZWNl bnQgZml4ZXMuDQo+IA0KPiBJdCBhbGwgZGVwZW5kcyBpZiB5b3VyIGN1c3RvbWVycyBsZXQgKGhv c3RpbGUgPykgcGVvcGxlIHJ1biBwcm9ncmFtcyBvbg0KPiB0aGUgYm94ZXMuDQoNCklmIHRoZXkg cmVxdWlyZSBob3N0aWxlIHByb2dyYW1zIEknbSBub3Qgd29ycmllZC4NCg0KQnV0IGl0IGlzbid0 IGVudGlyZWx5IGNsZWFyIGZyb20gdGhlc2Ugb29wcyByZXBvcnRzIHdoYXQgdGhlDQp0ZXN0IHBy b2dyYW0gaXMgYWN0dWFsbHkgZG9pbmcuDQpTb21lIG9mIHRoZW0gbWlnaHQgYmUgdmFsaWQgc2Nl bmFyaW9zLg0KTm90IHRoYXQgb3VyIGNvZGUgZG9lcyBhbnl0aGluZyBjbGV2ZXIuDQoNCglEYXZp ZA0KDQo= From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Laight Date: Wed, 09 Dec 2015 16:31:49 +0000 Subject: RE: [PATCH net] ipv6: sctp: clone options to avoid use after free Message-Id: <063D6719AE5E284EB5DD2968C1650D6D1CBE9B1C@AcuExch.aculab.com> List-Id: References: <20151209145917.GA3884@mrl.redhat.com> <1449674706.9768.5.camel@edumazet-glaptop2.roam.corp.google.com> <063D6719AE5E284EB5DD2968C1650D6D1CBE9A61@AcuExch.aculab.com> <1449676782.9768.9.camel@edumazet-glaptop2.roam.corp.google.com> In-Reply-To: <1449676782.9768.9.camel@edumazet-glaptop2.roam.corp.google.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: 'Eric Dumazet' Cc: Eric Dumazet , Marcelo Ricardo Leitner , Dmitry Vyukov , "David S. Miller" , Alexey Kuznetsov , James Morris , Hideaki YOSHIFUJI , Patrick McHardy , netdev , LKML , Vlad Yasevich , Neil Horman , "linux-sctp@vger.kernel.org" , syzkaller , Kostya Serebryany , Alexander Potapenko , Sasha Levin RnJvbTogRXJpYyBEdW1hemV0IFttYWlsdG86ZXJpYy5kdW1hemV0QGdtYWlsLmNvbV0NCj4gU2Vu dDogMDkgRGVjZW1iZXIgMjAxNSAxNjowMA0KPiBPbiBXZWQsIDIwMTUtMTItMDkgYXQgMTU6NDkg KzAwMDAsIERhdmlkIExhaWdodCB3cm90ZToNCj4gPiA+IFNDVFAgaXMgbGFja2luZyBwcm9wZXIg bnAtPm9wdCBjbG9uaW5nIGF0IGFjY2VwdCgpIHRpbWUuDQo+ID4gPg0KPiA+ID4gVENQIGFuZCBE Q0NQIHVzZSBpcHY2X2R1cF9vcHRpb25zKCkgaGVscGVyLCBkbyB0aGUgc2FtZSBpbiBTQ1RQLg0K PiA+ID4NCj4gPiA+IFdlIG1pZ2h0IGxhdGVyIGZhY3Rvcml6ZSB0aGlzIGNvZGUgaW4gYSBjb21t b24gaGVscGVyIHRvIGF2b2lkDQo+ID4gPiBmdXR1cmUgbWlzdGFrZXMuDQo+ID4NCj4gPiBJJ20g d29uZGVyaW5nIHdoYXQgdGhlIHJlYWwgaW1wYWN0IG9mIHRoaXMgYW5kIHRoZSBvdGhlciByZWNl bnQNCj4gPiBTQ1RQIGJ1Z3MvcGF0Y2hlcyBpcyBvbiByZWFsIHdvcmtsb2Fkcz8NCj4gPiBXZSBo YXZlIGVub3VnaCB0cm91YmxlIGdldHRpbmcgb3VyIGN1c3RvbWVycyB0byB1c2Uga2VybmVscw0K PiA+IGxhdGVyIHRoYXQgdGhlIDIuNi4xOCBiYXNlZCBSSEVMNSAtIHdpdGhvdXQgaGF2aW5nIHRv IHBlcnN1YWRlDQo+ID4gdGhlbSB0byB1c2Uga2VybmVscyB0aGF0IGNvbnRhaW4gdmVyeSByZWNl bnQgZml4ZXMuDQo+IA0KPiBJdCBhbGwgZGVwZW5kcyBpZiB5b3VyIGN1c3RvbWVycyBsZXQgKGhv c3RpbGUgPykgcGVvcGxlIHJ1biBwcm9ncmFtcyBvbg0KPiB0aGUgYm94ZXMuDQoNCklmIHRoZXkg cmVxdWlyZSBob3N0aWxlIHByb2dyYW1zIEknbSBub3Qgd29ycmllZC4NCg0KQnV0IGl0IGlzbid0 IGVudGlyZWx5IGNsZWFyIGZyb20gdGhlc2Ugb29wcyByZXBvcnRzIHdoYXQgdGhlDQp0ZXN0IHBy b2dyYW0gaXMgYWN0dWFsbHkgZG9pbmcuDQpTb21lIG9mIHRoZW0gbWlnaHQgYmUgdmFsaWQgc2Nl bmFyaW9zLg0KTm90IHRoYXQgb3VyIGNvZGUgZG9lcyBhbnl0aGluZyBjbGV2ZXIuDQoNCglEYXZp ZA0KDQo