netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
To: Jakub Kicinski <kuba@kernel.org>
Cc: Kleber Sacilotto de Souza <kleber.souza@canonical.com>,
	netdev@vger.kernel.org, Gerrit Renker <gerrit@erg.abdn.ac.uk>,
	"David S. Miller" <davem@davemloft.net>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	"Alexander A. Klimov" <grandmaster@al2klimov.de>,
	Kees Cook <keescook@chromium.org>,
	Eric Dumazet <edumazet@google.com>,
	Alexey Kodanev <alexey.kodanev@oracle.com>,
	dccp@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] dccp: ccid: move timers to struct dccp_sock
Date: Thu, 15 Oct 2020 07:53:58 -0300	[thread overview]
Message-ID: <20201015105358.GA367246@mussarela> (raw)
In-Reply-To: <20201014204322.7a51c375@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>

On Wed, Oct 14, 2020 at 08:43:22PM -0700, Jakub Kicinski wrote:
> On Tue, 13 Oct 2020 19:18:48 +0200 Kleber Sacilotto de Souza wrote:
> > From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> > 
> > When dccps_hc_tx_ccid is freed, ccid timers may still trigger. The reason
> > del_timer_sync can't be used is because this relies on keeping a reference
> > to struct sock. But as we keep a pointer to dccps_hc_tx_ccid and free that
> > during disconnect, the timer should really belong to struct dccp_sock.
> > 
> > This addresses CVE-2020-16119.
> > 
> > Fixes: 839a6094140a (net: dccp: Convert timers to use timer_setup())
> 
> Presumably you chose this commit because the fix won't apply beyond it?
> But it really fixes 2677d2067731 (dccp: don't free.. right?

Well, it should also fix cases where dccps_hc_tx_ccid{,_private} has been freed
right after the timer is stopped.

So, we could add:
Fixes: 2a91aa396739 ([DCCP] CCID2: Initial CCID2 (TCP-Like) implementation)
Fixes: 7c657876b63c ([DCCP]: Initial implementation)

But I wouldn't say that this fixes 2677d2067731, unless there is argument to
say that it fixes it because it claimed to fix what is being fixed here. But
even the code that it removed was supposed to be stopping the timer, so how
could it ever fix what it was claiming to fix?

Thanks.
Cascardo.

> 
> > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

  reply	other threads:[~2020-10-15 10:54 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-13 17:18 [PATCH 0/2] net: dccp: fix structure use-after-free Kleber Sacilotto de Souza
2020-10-13 17:18 ` [PATCH 1/2] dccp: ccid: move timers to struct dccp_sock Kleber Sacilotto de Souza
2020-10-13 18:58   ` Richard Sailer
2020-10-15  3:43   ` Jakub Kicinski
2020-10-15 10:53     ` Thadeu Lima de Souza Cascardo [this message]
2020-10-16 22:30   ` Jakub Kicinski
2020-11-09 11:48     ` Thadeu Lima de Souza Cascardo
2020-11-09 17:49       ` Jakub Kicinski
2020-11-09 21:09         ` Thadeu Lima de Souza Cascardo
2020-11-09 21:15           ` Jakub Kicinski
2020-11-09 21:31             ` Thadeu Lima de Souza Cascardo
2020-11-09 22:15               ` Jakub Kicinski
2020-11-10 11:19                 ` Thadeu Lima de Souza Cascardo
2020-11-10 16:16                   ` Jakub Kicinski
2020-10-13 17:18 ` [PATCH 2/2] Revert "dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()" Kleber Sacilotto de Souza
2020-10-13 18:59   ` Richard Sailer
2020-10-15  3:42   ` Jakub Kicinski
2020-10-15  9:23     ` Kleber Souza

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201015105358.GA367246@mussarela \
    --to=cascardo@canonical.com \
    --cc=alexey.kodanev@oracle.com \
    --cc=davem@davemloft.net \
    --cc=dccp@vger.kernel.org \
    --cc=edumazet@google.com \
    --cc=gerrit@erg.abdn.ac.uk \
    --cc=grandmaster@al2klimov.de \
    --cc=gustavoars@kernel.org \
    --cc=keescook@chromium.org \
    --cc=kleber.souza@canonical.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).