linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	"Daniel Borkmann" <dborkman@redhat.com>,
	"David S. Miller" <davem@davemloft.net>,
	"Eric Dumazet" <edumazet@google.com>
Subject: [PATCH 3.2 18/87] net: unix: inherit SOCK_PASS{CRED, SEC} flags from  socket to fix race
Date: Mon, 25 Nov 2013 13:44:29 +0000	[thread overview]
Message-ID: <lsq.1385387069.704765350@decadent.org.uk> (raw)
In-Reply-To: <lsq.1385387069.559528559@decadent.org.uk>

3.2.53-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Borkmann <dborkman@redhat.com>

[ Upstream commit 90c6bd34f884cd9cee21f1d152baf6c18bcac949 ]

In the case of credentials passing in unix stream sockets (dgram
sockets seem not affected), we get a rather sparse race after
commit 16e5726 ("af_unix: dont send SCM_CREDENTIALS by default").

We have a stream server on receiver side that requests credential
passing from senders (e.g. nc -U). Since we need to set SO_PASSCRED
on each spawned/accepted socket on server side to 1 first (as it's
not inherited), it can happen that in the time between accept() and
setsockopt() we get interrupted, the sender is being scheduled and
continues with passing data to our receiver. At that time SO_PASSCRED
is neither set on sender nor receiver side, hence in cmsg's
SCM_CREDENTIALS we get eventually pid:0, uid:65534, gid:65534
(== overflow{u,g}id) instead of what we actually would like to see.

On the sender side, here nc -U, the tests in maybe_add_creds()
invoked through unix_stream_sendmsg() would fail, as at that exact
time, as mentioned, the sender has neither SO_PASSCRED on his side
nor sees it on the server side, and we have a valid 'other' socket
in place. Thus, sender believes it would just look like a normal
connection, not needing/requesting SO_PASSCRED at that time.

As reverting 16e5726 would not be an option due to the significant
performance regression reported when having creds always passed,
one way/trade-off to prevent that would be to set SO_PASSCRED on
the listener socket and allow inheriting these flags to the spawned
socket on server side in accept(). It seems also logical to do so
if we'd tell the listener socket to pass those flags onwards, and
would fix the race.

Before, strace:

recvmsg(4, {msg_name(0)=NULL, msg_iov(1)=[{"blub\n", 4096}],
        msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_SOCKET,
        cmsg_type=SCM_CREDENTIALS{pid=0, uid=65534, gid=65534}},
        msg_flags=0}, 0) = 5

After, strace:

recvmsg(4, {msg_name(0)=NULL, msg_iov(1)=[{"blub\n", 4096}],
        msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_SOCKET,
        cmsg_type=SCM_CREDENTIALS{pid=11580, uid=1000, gid=1000}},
        msg_flags=0}, 0) = 5

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/unix/af_unix.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 5611563..5122b22 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1236,6 +1236,15 @@ static int unix_socketpair(struct socket *socka, struct socket *sockb)
 	return 0;
 }
 
+static void unix_sock_inherit_flags(const struct socket *old,
+				    struct socket *new)
+{
+	if (test_bit(SOCK_PASSCRED, &old->flags))
+		set_bit(SOCK_PASSCRED, &new->flags);
+	if (test_bit(SOCK_PASSSEC, &old->flags))
+		set_bit(SOCK_PASSSEC, &new->flags);
+}
+
 static int unix_accept(struct socket *sock, struct socket *newsock, int flags)
 {
 	struct sock *sk = sock->sk;
@@ -1270,6 +1279,7 @@ static int unix_accept(struct socket *sock, struct socket *newsock, int flags)
 	/* attach accepted sock to socket */
 	unix_state_lock(tsk);
 	newsock->state = SS_CONNECTED;
+	unix_sock_inherit_flags(sock, newsock);
 	sock_graft(tsk, newsock);
 	unix_state_unlock(tsk);
 	return 0;


  parent reply	other threads:[~2013-11-25 14:29 UTC|newest]

Thread overview: 100+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-11-25 13:44 [PATCH 3.2 00/87] 3.2.53-rc1 review Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 75/87] drm: Pad drm_mode_get_connector to 64-bit boundary Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 27/87] zram: allow request end to coincide with disksize Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 68/87] xtensa: don't use alternate signal stack on threads Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 85/87] staging: wlags49_h2: buffer overflow setting station name Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 83/87] uml: check length in exitcode_proc_write() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 34/87] tracing: Fix potential out-of-bounds in trace_get_user() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 32/87] 8139cp: re-enable interrupts after tx timeout Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 70/87] USB: quirks: add touchscreen that is dazzeled by remote wakeup Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 86/87] Staging: bcm: info leak in ioctl Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 51/87] hwmon: (applesmc) Always read until end of data Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 55/87] xhci: Fix spurious wakeups after S5 on Haswell Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 60/87] compiler/gcc4: Add quirk for 'asm goto' miscompilation bug Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 20/87] davinci_emac.c: Fix IFF_ALLMULTI setup Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 28/87] perf: Fix perf ring buffer memory ordering Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 38/87] mac80211: drop spoofed packets in ad-hoc mode Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 03/87] net: do not call sock_put() on TIMEWAIT sockets Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 78/87] parisc: Do not crash 64bit SMP kernels on machines with >= 4GB RAM Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 23/87] ext4: return 32/64-bit dir name hash according to usage type Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 53/87] xhci: Don't enable/disable RWE on bus suspend/resume Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 21/87] PCI: fix truncation of resource size to 32 bits Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 25/87] nfsd: vfs_llseek() with 32 or 64 bit offsets (hashes) Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 66/87] wireless: radiotap: fix parsing buffer overrun Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 72/87] ecryptfs: Fix memory leakage in keystore.c Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 56/87] KVM: PPC: Book3S HV: Fix typo in saving DSCR Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 59/87] compiler-gcc.h: Add gcc-recommended GCC_VERSION macro Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 77/87] target/pscsi: fix return value check Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 36/87] jfs: fix error path in ialloc Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 31/87] inet: fix possible memory corruption with UDP_CORK and UFO Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 09/87] net: vlan: fix nlmsg size calculation in vlan_get_size() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 44/87] iwlwifi: one more sku added to 6x35 series Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 73/87] fs: buffer: move allocation failure loop into the allocator Ben Hutchings
2013-11-25 15:13   ` Johannes Weiner
2013-11-26  3:54     ` Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 19/87] net: fix cipso packet validation when !NETLABEL Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 67/87] USB: quirks.c: add one device that cannot deal with suspension Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 06/87] ipv4: fix ineffective source address selection Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 05/87] proc connector: fix info leaks Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 08/87] ipv6: restrict neighbor entry creation to output flow Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 63/87] ext4: fix memory leak in xattr Ben Hutchings
2013-11-25 19:02   ` Dave Jones
2013-11-26  3:52     ` Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 79/87] ASoC: dapm: Fix source list debugfs outputs Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 46/87] iwlwifi: pcie: add SKUs for 6000, 6005 and 6235 series Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 45/87] iwlwifi: add new pci id for 6x35 series Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 42/87] iwlwifi: remove un-supported SKUs Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 69/87] dm snapshot: fix data corruption Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 50/87] mac80211: correctly close cancelled scans Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 29/87] xen-netback: use jiffies_64 value to calculate credit timeout Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 15/87] sctp: Use software crc32 checksum when xfrm transform will happen Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 52/87] drm/radeon: fix hw contexts for SUMO2 asics Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 76/87] drm/radeon/atom: workaround vbios bug in transmitter table on rs780 Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 65/87] parisc: fix interruption handler to respect pagefault_disable() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 16/87] sctp: Perform software checksum if packet has to be fragmented Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 22/87] fs: add new FMODE flags: FMODE_32bithash and FMODE_64bithash Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 80/87] Fix a few incorrectly checked [io_]remap_pfn_range() calls Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 01/87] tcp: must unclone packets before mangling them Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 74/87] drm: Prevent overwriting from userspace underallocating core ioctl structs Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 11/87] farsync: fix info leak in ioctl Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 62/87] USB: serial: option: add support for Inovia SEW858 device Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 02/87] tcp: do not forget FIN in tcp_shifted_skb() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 58/87] random: allow architectures to optionally define random_get_entropy() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 26/87] ext3: return 32/64-bit dir name hash according to usage type Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 61/87] USB: support new huawei devices in option.c Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 82/87] ASoC: wm_hubs: Add missing break in hp_supply_event() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 39/87] mac80211: update sta->last_rx on acked tx frames Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 54/87] xhci: quirk for extra long delay for S4 Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 47/87] ALSA: snd-usb-usx2y: remove bogus frame checks Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 12/87] connector: use nlmsg_len() to check message length Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 24/87] nfsd: rename 'int access' to 'int may_flags' in nfsd_open() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 48/87] libata: make ata_eh_qc_retry() bump scmd->allowed on bogus failures Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 07/87] can: dev: fix nlmsg size calculation in can_get_size() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 30/87] perf tools: Fix getrusage() related build failure on glibc trunk Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 64/87] vfs: allow O_PATH file descriptors for fstatfs() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 40/87] tile: use a more conservative __my_cpu_offset in CONFIG_PREEMPT Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 57/87] rtlwifi: rtl8192cu: Fix error in pointer arithmetic Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 81/87] ALSA: hda - Add a fixup for ASUS N76VZ Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 13/87] bnx2x: record rx queue for LRO packets Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 43/87] iwlwifi: update pci subsystem id Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 10/87] l2tp: must disable bh before calling l2tp_xmit_skb() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 71/87] usb: serial: option: blacklist Olivetti Olicard200 Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 37/87] random: run random_int_secret_init() run after all late_initcalls Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 84/87] aacraid: missing capable() check in compat ioctl Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 49/87] ALSA: hda - Add fixup for ASUS N56VZ Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 33/87] netfilter: nf_ct_sip: don't drop packets with offsets pointing outside the packet Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 35/87] include/linux/fs.h: disable preempt when acquire i_size_seqcount write lock Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 04/87] net: heap overflow in __audit_sockaddr() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 17/87] wanxl: fix info leak in ioctl Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 14/87] net: dst: provide accessor function to dst->xfrm Ben Hutchings
2013-11-25 13:44 ` Ben Hutchings [this message]
2013-11-25 13:44 ` [PATCH 3.2 41/87] iwlwifi: two more SKUs for 6x05 series Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 87/87] lib/scatterlist.c: don't flush_kernel_dcache_page on slab page Ben Hutchings
2013-11-26 16:39 ` [PATCH 3.2 00/87] 3.2.53-rc1 review Guenter Roeck
2013-11-26 18:49   ` Ben Hutchings
2013-11-27 11:41 ` Satoru Takeuchi
2013-11-27 14:43   ` Ben Hutchings
2013-11-27 14:45 ` Ben Hutchings
2013-11-27 23:01   ` Satoru Takeuchi
2013-11-28 10:52     ` Satoru Takeuchi
2013-11-28 14:01       ` Ben Hutchings

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=lsq.1385387069.704765350@decadent.org.uk \
    --to=ben@decadent.org.uk \
    --cc=akpm@linux-foundation.org \
    --cc=davem@davemloft.net \
    --cc=dborkman@redhat.com \
    --cc=ebiederm@xmission.com \
    --cc=edumazet@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).