From: Eric Dumazet <eric.dumazet@gmail.com>
To: Tim Chen <tim.c.chen@linux.intel.com>
Cc: "Yan, Zheng" <zheng.z.yan@intel.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"davem@davemloft.net" <davem@davemloft.net>,
"sfr@canb.auug.org.au" <sfr@canb.auug.org.au>,
"jirislaby@gmail.com" <jirislaby@gmail.com>,
"sedat.dilek@gmail.com" <sedat.dilek@gmail.com>,
alex.shi@intel.com
Subject: Re: [PATCH -next v2] unix stream: Fix use-after-free crashes
Date: Tue, 06 Sep 2011 21:01:00 +0200 [thread overview]
Message-ID: <1315335660.3400.7.camel@edumazet-laptop> (raw)
In-Reply-To: <1315335019.2576.3048.camel@schen9-DESK>
Le mardi 06 septembre 2011 à 11:50 -0700, Tim Chen a écrit :
> On Tue, 2011-09-06 at 19:40 +0200, Eric Dumazet wrote:
> > Le mardi 06 septembre 2011 à 09:25 -0700, Tim Chen a écrit :
> > > On Sun, 2011-09-04 at 13:44 +0800, Yan, Zheng wrote:
> > > > Commit 0856a30409 (Scm: Remove unnecessary pid & credential references
> > > > in Unix socket's send and receive path) introduced a use-after-free bug.
> > > > It passes the scm reference to the first skb. Skb(s) afterwards may
> > > > reference freed data structure because the first skb can be destructed
> > > > by the receiver at anytime. The fix is by passing the scm reference to
> > > > the very last skb.
> > > >
> > > > Signed-off-by: Zheng Yan <zheng.z.yan@intel.com>
> > > > Reported-by: Jiri Slaby <jirislaby@gmail.com>
> > > > ---
> > >
> > > Thanks for finding this bug in my original patch. I've missed the case
> > > where receiving side could have released the all the references to the
> > > credential before the send side is using the credential again for
> > > subsequent skbs in the stream, thus causing the problem we saw. Getting
> > > an extra reference for pid/credentials at the beginning of the stream
> > > and not getting reference for the last skb is the right approach.
> > >
> > > Thanks also to Sedat, Valdis and Jiri for their extensive testing to
> > > discover the bug and testing the subsequent fixes.
> > >
> > > Acked-by: Tim Chen <tim.c.chen@linux.intel.com>
> >
> > What happens if message must be split in two skb,
> > first skb is built, queued (without scm reference)
>
> An extra scm reference is already first obtained in scm_send at the
> beginning of unix_stream_sendmsg in Yan Zheng's patch. So things should
> be okay as long as we only use this extra reference we got in scm_send
> for the last skb in unix_stream_sendmsg instead of the first skb.
>
> >
> > Second skb allocation fails.
> >
> > Rule about refs/norefs games is : As soon as you put skb into a list, it
> > should have all appropriate references if this skb has pointer(s) to
> > objects(s)
>
> All the skbs put on the list does have proper reference on pid/scm. In
> the example you give, the first skb got the reference at this line:
>
> err = unix_scm_to_skb(siocb->scm, skb, !fds_sent, fds_sent);
This is the current code. We know its buggy.
I was discussing of things after proposed patch, not current net-next.
This reads :
err = unix_scm_to_skb(siocb->scm, skb, !fds_sent, scm_ref);
So first skb is sent without ref taken, as mentioned in Changelog ?
If second skb cannot be built, we exit this system call with an already
queued skb. Receiver can then access to freed memory.
>
> the second skb use the reference already obtained at the beginning of
> unix_stream_sendmsg if the skb allocation is successful:
>
> err = scm_send(sock, msg, siocb->scm);
>
> Now if the second skb allocation failed, the extra scm reference will be
> released by scm_destroy in the error handling path.
>
> >
> > We should revert 0856a304091b33a and code the thing differently.
> >
> > Instead of storing pointer to pid and cred in UNIXSKB(), why dont we
> > copy all needed information ? No ref counts at all.
> >
> > skb->cb[] is large enough.
> >
>
> If we can simply copy some information over, that will be ideal and
> will resolve all the scalability problems.
>
> However, I don't see other obvious info that we can pass to avoid
> passing pid. Our current credential is pid and uid based, and requires
> the knowledge of sender's pid to interpret uid to do credentials
> checking. So without passing the sender pid, I don't see an easy way
> for the receive side to interpret sender uid it got, which is needed in
> user_ns_map_uid function when we call cred_to_ucred.
>
> I was trying to do minimal changes to gain some performance. The
> approach you suggest is great but will probably require much more
> changes to the credentials infrastructure. Or maybe there are some easy
> way to do it that I don't see.
My approach would basically revert the 7361c36c commit too :(
I am sorry, but the only way to avoid too many pid/cred references is to
lock the socket [aka unix_state_lock(other);] for the whole send()
duration.
This way, you can really increment the pid/cred reference on the last
pushed skb, because no reader can 'catch first skb'
As soon as unix_state_unlock(other) is called, everything can happen, so
skb must be self contained, as I stated in my earlier mail.
next prev parent reply other threads:[~2011-09-06 19:01 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-04 5:44 [PATCH -next v2] unix stream: Fix use-after-free crashes Yan, Zheng
2011-09-04 7:12 ` Sedat Dilek
2011-09-04 8:23 ` Yan, Zheng
2011-09-04 15:50 ` Joe Perches
2011-09-06 16:39 ` Tim Chen
2011-09-06 16:25 ` Tim Chen
2011-09-06 17:40 ` Eric Dumazet
2011-09-06 18:50 ` Tim Chen
2011-09-06 19:01 ` Eric Dumazet [this message]
2011-09-06 19:33 ` Tim Chen
2011-09-06 19:43 ` Eric Dumazet
2011-09-06 19:59 ` Tim Chen
2011-09-06 20:19 ` Eric Dumazet
2011-09-06 22:08 ` Tim Chen
2011-09-07 2:35 ` Eric Dumazet
2011-09-06 23:09 ` Yan, Zheng
2011-09-07 2:55 ` Eric Dumazet
2011-09-16 23:35 ` David Miller
2011-09-16 16:50 ` Tim Chen
2011-09-19 7:57 ` Eric Dumazet
2011-09-07 4:36 ` Yan, Zheng
2011-09-07 5:08 ` Eric Dumazet
2011-09-07 5:20 ` Yan, Zheng
[not found] ` <1315381503.3400.85.camel@edumazet-laptop>
2011-09-07 12:01 ` Tim Chen
2011-09-07 20:12 ` Sedat Dilek
2011-09-07 20:30 ` Sedat Dilek
2011-09-07 14:37 ` Tim Chen
2011-09-08 0:27 ` Yan, Zheng
2011-09-07 21:06 ` Tim Chen
2011-09-07 21:15 ` Tim Chen
2011-09-08 6:21 ` Eric Dumazet
2011-09-08 4:18 ` Yan, Zheng
2011-09-08 5:59 ` Eric Dumazet
2011-09-08 6:22 ` Yan, Zheng
2011-09-08 7:11 ` Eric Dumazet
2011-09-08 7:23 ` Yan, Zheng
2011-09-08 7:33 ` Eric Dumazet
2011-09-08 9:59 ` Sedat Dilek
2011-09-08 13:21 ` [PATCH net-next v3] af_unix: " Eric Dumazet
2011-09-08 8:37 ` Tim Chen
2011-09-09 6:51 ` Eric Dumazet
2011-09-09 7:58 ` [PATCH net-next] af_unix: fix use after free in unix_stream_recvmsg() Eric Dumazet
2011-09-09 10:39 ` Tim Chen
2011-09-09 10:41 ` [PATCH net-next v3] af_unix: Fix use-after-free crashes Tim Chen
2011-09-08 7:56 ` [PATCH -next v2] unix stream: " Jiri Slaby
2011-09-08 8:43 ` Sedat Dilek
2011-09-08 7:02 ` Sedat Dilek
2011-09-07 21:26 ` Eric Dumazet
2011-09-08 13:28 ` Eric Dumazet
2011-09-08 9:24 ` Tim Chen
2011-09-09 5:06 ` [PATCH net-next] af_unix: dont send SCM_CREDENTIALS by default Eric Dumazet
2011-09-12 19:15 ` Tim Chen
2011-09-19 1:07 ` David Miller
2011-09-19 4:28 ` Eric Dumazet
2011-09-19 15:02 ` Eric Dumazet
2011-09-19 15:52 ` [PATCH v2 " Eric Dumazet
2011-09-19 21:39 ` Tim Chen
2011-09-20 2:10 ` Valdis.Kletnieks
2011-09-20 4:16 ` Eric Dumazet
2011-09-22 16:15 ` tim
2011-11-28 13:23 ` Michal Schmidt
2011-11-28 13:38 ` Eric Dumazet
2011-09-28 17:30 ` David Miller
2011-09-08 10:05 ` [PATCH -next v2] unix stream: Fix use-after-free crashes Sedat Dilek
2011-09-08 8:50 ` Tim Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1315335660.3400.7.camel@edumazet-laptop \
--to=eric.dumazet@gmail.com \
--cc=alex.shi@intel.com \
--cc=davem@davemloft.net \
--cc=jirislaby@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=sedat.dilek@gmail.com \
--cc=sfr@canb.auug.org.au \
--cc=tim.c.chen@linux.intel.com \
--cc=zheng.z.yan@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).