From: Xin Long <lucien.xin@gmail.com>
To: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Cc: Eric Dumazet <edumazet@google.com>,
Eric Dumazet <eric.dumazet@gmail.com>,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
netdev <netdev@vger.kernel.org>, Wei Wang <weiwan@google.com>,
linux-sctp@vger.kernel.org
Subject: Re: [RFC] sctp: suspicious rcu_read_lock() in sctp_packet_config()
Date: Wed, 18 Oct 2017 01:33:46 +0800 [thread overview]
Message-ID: <CADvbK_d70=HmQ6Dk6rh92tF0DWxKK-WZ7uyXwybLHtcigwB=6A@mail.gmail.com> (raw)
In-Reply-To: <20171017172726.GD5357@localhost.localdomain>
On Wed, Oct 18, 2017 at 1:27 AM, Marcelo Ricardo Leitner
<marcelo.leitner@gmail.com> wrote:
> On Tue, Oct 17, 2017 at 10:20:58AM -0700, Eric Dumazet wrote:
>> On Tue, Oct 17, 2017 at 10:01 AM, Marcelo Ricardo Leitner
>> <marcelo.leitner@gmail.com> wrote:
>> > On Tue, Oct 17, 2017 at 09:44:10AM -0700, Eric Dumazet wrote:
>> >> On Tue, Oct 17, 2017 at 9:28 AM, Marcelo Ricardo Leitner
>> >> <marcelo.leitner@gmail.com> wrote:
>> >> > On Tue, Oct 17, 2017 at 11:31:30PM +0800, Xin Long wrote:
>> >> >> On Tue, Oct 17, 2017 at 9:45 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
>> >> >> > SCTP experts.
>> >> >> >
>> >> >> > syszkaller reported a few crashes in sctp_packet_config() with invalid
>> >> >> > access to a deleted dst.
>> >> >> >
>> >> >> > The rcu_read_lock() in sctp_packet_config() is suspect.
>> >> >> >
>> >> >> > It does not protect anything at the moment.
>> >> >> >
>> >> >> > If we expect tp->dst to be manipulated/changed by another cpu/thread,
>> >> >> > then we need proper rcu protection.
>> >> >> >
>> >> >> > Following patch to show what would be a minimal change (but obviously
>> >> >> > bigger changes are needed, like sctp_transport_pmtu_check() and
>> >> >> > sctp_transport_dst_check(), and proper sparse annotations)
>> >> >> will check all places accessing tp->dst in sctp.
>> >> >
>> >> > I checked some and sctp_transport_dst_check() should be fine because
>> >> > by then we are holding a reference on dst. Same goes to
>> >> > sctp_transport_pmtu_check().
>> >>
>> >> Really ?
>> >>
>> >
>> > Yes,
>> >
>> >> What about sctp_v4_err() -> sctp_icmp_redirect() -> sctp_transport_dst_check()
>> >>
>> >> It seems quite possible that the BH handler can access it, while
>> >> socket is owned by user.
>> >
>> > hidden here:
>> > sctp_v4_err() {
>> > ...
>> > sk = sctp_err_lookup(net, AF_INET, skb, sctp_hdr(skb), &asoc,
>> > &transport);
>> > ...
>> > out_unlock:
>> > sctp_err_finish(sk, transport);
>> > }
>> >
>> > sctp_err_lookup() {
>> > ...
>> > bh_lock_sock(sk);
>> >
>> > /* If too many ICMPs get dropped on busy
>> > * servers this needs to be solved differently.
>> > */
>> > if (sock_owned_by_user(sk)) [A]
>> > __NET_INC_STATS(net, LINUX_MIB_LOCKDROPPEDICMPS);
>> >
>> > *app = asoc;
>> > *tpp = transport;
>> > return sk;
>> > ...
>> > }
>> >
>> > Though that if() on [A] should be bailing out without returning
>> > nothing. That's a bug. More like:
>> >
>> > if (sock_owned_by_user(sk)) {
>> > __NET_INC_STATS(net, LINUX_MIB_LOCKDROPPEDICMPS);
>> > goto out;
>> > }
>> >
>>
>> So why sctp_v4_err() is doing this test ?
>>
>> if (!sock_owned_by_user(sk) && inet->recverr) {
>>
>> It looks like socket can be owned by the user, and [A] check only
>> increments an SNMP counter,
>> that wont help to solve the tp->dst use after free.
>
> Hah, missed that. Though the semantics on that counter still looks
> confusing. It may be incremented when we actually handled the icmp.
> The other icmp handling in there will postpone in case the socket is
> locked by the user, and so will the timer callbacks too.
Maybe that check should be done in sctp_icmp_redirect(), as
in sctp_icmp_frag_needed(), as well as in tcp_v4_err().
@@ -421,7 +421,7 @@ void sctp_icmp_redirect(struct sock *sk, struct
sctp_transport *t,
{
struct dst_entry *dst;
- if (!t)
+ if (sock_owned_by_user(sk) || !t)
return;
>
> Will look more, thanks.
>
WARNING: multiple messages have this Message-ID (diff)
From: Xin Long <lucien.xin@gmail.com>
To: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Cc: Eric Dumazet <edumazet@google.com>,
Eric Dumazet <eric.dumazet@gmail.com>,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
netdev <netdev@vger.kernel.org>, Wei Wang <weiwan@google.com>,
linux-sctp@vger.kernel.org
Subject: Re: [RFC] sctp: suspicious rcu_read_lock() in sctp_packet_config()
Date: Tue, 17 Oct 2017 17:33:46 +0000 [thread overview]
Message-ID: <CADvbK_d70=HmQ6Dk6rh92tF0DWxKK-WZ7uyXwybLHtcigwB=6A@mail.gmail.com> (raw)
In-Reply-To: <20171017172726.GD5357@localhost.localdomain>
On Wed, Oct 18, 2017 at 1:27 AM, Marcelo Ricardo Leitner
<marcelo.leitner@gmail.com> wrote:
> On Tue, Oct 17, 2017 at 10:20:58AM -0700, Eric Dumazet wrote:
>> On Tue, Oct 17, 2017 at 10:01 AM, Marcelo Ricardo Leitner
>> <marcelo.leitner@gmail.com> wrote:
>> > On Tue, Oct 17, 2017 at 09:44:10AM -0700, Eric Dumazet wrote:
>> >> On Tue, Oct 17, 2017 at 9:28 AM, Marcelo Ricardo Leitner
>> >> <marcelo.leitner@gmail.com> wrote:
>> >> > On Tue, Oct 17, 2017 at 11:31:30PM +0800, Xin Long wrote:
>> >> >> On Tue, Oct 17, 2017 at 9:45 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
>> >> >> > SCTP experts.
>> >> >> >
>> >> >> > syszkaller reported a few crashes in sctp_packet_config() with invalid
>> >> >> > access to a deleted dst.
>> >> >> >
>> >> >> > The rcu_read_lock() in sctp_packet_config() is suspect.
>> >> >> >
>> >> >> > It does not protect anything at the moment.
>> >> >> >
>> >> >> > If we expect tp->dst to be manipulated/changed by another cpu/thread,
>> >> >> > then we need proper rcu protection.
>> >> >> >
>> >> >> > Following patch to show what would be a minimal change (but obviously
>> >> >> > bigger changes are needed, like sctp_transport_pmtu_check() and
>> >> >> > sctp_transport_dst_check(), and proper sparse annotations)
>> >> >> will check all places accessing tp->dst in sctp.
>> >> >
>> >> > I checked some and sctp_transport_dst_check() should be fine because
>> >> > by then we are holding a reference on dst. Same goes to
>> >> > sctp_transport_pmtu_check().
>> >>
>> >> Really ?
>> >>
>> >
>> > Yes,
>> >
>> >> What about sctp_v4_err() -> sctp_icmp_redirect() -> sctp_transport_dst_check()
>> >>
>> >> It seems quite possible that the BH handler can access it, while
>> >> socket is owned by user.
>> >
>> > hidden here:
>> > sctp_v4_err() {
>> > ...
>> > sk = sctp_err_lookup(net, AF_INET, skb, sctp_hdr(skb), &asoc,
>> > &transport);
>> > ...
>> > out_unlock:
>> > sctp_err_finish(sk, transport);
>> > }
>> >
>> > sctp_err_lookup() {
>> > ...
>> > bh_lock_sock(sk);
>> >
>> > /* If too many ICMPs get dropped on busy
>> > * servers this needs to be solved differently.
>> > */
>> > if (sock_owned_by_user(sk)) [A]
>> > __NET_INC_STATS(net, LINUX_MIB_LOCKDROPPEDICMPS);
>> >
>> > *app = asoc;
>> > *tpp = transport;
>> > return sk;
>> > ...
>> > }
>> >
>> > Though that if() on [A] should be bailing out without returning
>> > nothing. That's a bug. More like:
>> >
>> > if (sock_owned_by_user(sk)) {
>> > __NET_INC_STATS(net, LINUX_MIB_LOCKDROPPEDICMPS);
>> > goto out;
>> > }
>> >
>>
>> So why sctp_v4_err() is doing this test ?
>>
>> if (!sock_owned_by_user(sk) && inet->recverr) {
>>
>> It looks like socket can be owned by the user, and [A] check only
>> increments an SNMP counter,
>> that wont help to solve the tp->dst use after free.
>
> Hah, missed that. Though the semantics on that counter still looks
> confusing. It may be incremented when we actually handled the icmp.
> The other icmp handling in there will postpone in case the socket is
> locked by the user, and so will the timer callbacks too.
Maybe that check should be done in sctp_icmp_redirect(), as
in sctp_icmp_frag_needed(), as well as in tcp_v4_err().
@@ -421,7 +421,7 @@ void sctp_icmp_redirect(struct sock *sk, struct
sctp_transport *t,
{
struct dst_entry *dst;
- if (!t)
+ if (sock_owned_by_user(sk) || !t)
return;
>
> Will look more, thanks.
>
next prev parent reply other threads:[~2017-10-17 17:33 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-17 13:45 [RFC] sctp: suspicious rcu_read_lock() in sctp_packet_config() Eric Dumazet
2017-10-17 15:31 ` Xin Long
2017-10-17 15:31 ` Xin Long
2017-10-17 16:28 ` Marcelo Ricardo Leitner
2017-10-17 16:28 ` Marcelo Ricardo Leitner
2017-10-17 16:44 ` Eric Dumazet
2017-10-17 16:44 ` Eric Dumazet
2017-10-17 17:01 ` Marcelo Ricardo Leitner
2017-10-17 17:01 ` Marcelo Ricardo Leitner
2017-10-17 17:20 ` Eric Dumazet
2017-10-17 17:20 ` Eric Dumazet
2017-10-17 17:27 ` Marcelo Ricardo Leitner
2017-10-17 17:27 ` Marcelo Ricardo Leitner
2017-10-17 17:33 ` Xin Long [this message]
2017-10-17 17:33 ` Xin Long
2017-10-18 10:01 ` Marcelo Ricardo Leitner
2017-10-18 10:01 ` Marcelo Ricardo Leitner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADvbK_d70=HmQ6Dk6rh92tF0DWxKK-WZ7uyXwybLHtcigwB=6A@mail.gmail.com' \
--to=lucien.xin@gmail.com \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=linux-sctp@vger.kernel.org \
--cc=marcelo.leitner@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=vyasevich@gmail.com \
--cc=weiwan@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.