From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E3AEC2D0A3 for ; Mon, 9 Nov 2020 17:49:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3F23F2068D for ; Mon, 9 Nov 2020 17:49:43 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="XmRgnrlt" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729848AbgKIRtl (ORCPT ); Mon, 9 Nov 2020 12:49:41 -0500 Received: from mail.kernel.org ([198.145.29.99]:45176 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726952AbgKIRtl (ORCPT ); Mon, 9 Nov 2020 12:49:41 -0500 Received: from kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com (unknown [163.114.132.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9C19A20665; Mon, 9 Nov 2020 17:49:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1604944180; bh=2JS+DaVkJRk5CcGsB31ekydAlAwz2JA7uSthpODOzec=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=XmRgnrltaXpz59xQMBWOzeps7fFSmvRjemBlntUxDEH1LwiYlonGdBYE3avceHraq nSyFlK0cCmuNTW1Bum6YvH/dg4My0lmOdWzcN8YwqUwP35dB8OhS0wO7HkYRWRIlhO RBYzc1DM34+d3vUKr9NlcwrI5QlXXnd1WqzveoCg= Date: Mon, 9 Nov 2020 09:49:38 -0800 From: Jakub Kicinski To: Thadeu Lima de Souza Cascardo Cc: Kleber Sacilotto de Souza , Eric Dumazet , netdev@vger.kernel.org, Gerrit Renker , "David S. Miller" , "Gustavo A. R. Silva" , "Alexander A. Klimov" , Kees Cook , Alexey Kodanev , dccp@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 1/2] dccp: ccid: move timers to struct dccp_sock Message-ID: <20201109094938.45b230c9@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> In-Reply-To: <20201109114828.GP595944@mussarela> References: <20201013171849.236025-1-kleber.souza@canonical.com> <20201013171849.236025-2-kleber.souza@canonical.com> <20201016153016.04bffc1e@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> <20201109114828.GP595944@mussarela> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Mon, 9 Nov 2020 08:48:28 -0300 Thadeu Lima de Souza Cascardo wrote: > On Fri, Oct 16, 2020 at 03:30:16PM -0700, Jakub Kicinski wrote: > > On Tue, 13 Oct 2020 19:18:48 +0200 Kleber Sacilotto de Souza wrote: > > > From: Thadeu Lima de Souza Cascardo > > > > > > When dccps_hc_tx_ccid is freed, ccid timers may still trigger. The reason > > > del_timer_sync can't be used is because this relies on keeping a reference > > > to struct sock. But as we keep a pointer to dccps_hc_tx_ccid and free that > > > during disconnect, the timer should really belong to struct dccp_sock. > > > > > > This addresses CVE-2020-16119. > > > > > > Fixes: 839a6094140a (net: dccp: Convert timers to use timer_setup()) > > > Signed-off-by: Thadeu Lima de Souza Cascardo > > > Signed-off-by: Kleber Sacilotto de Souza > > > > I've been mulling over this fix. > > > > The layering violation really doesn't sit well. > > > > We're reusing the timer object. What if we are really unlucky, the > > fires and gets blocked by a cosmic ray just as it's about to try to > > lock the socket, then user manages to reconnect, and timer starts > > again. Potentially with a different CCID algo altogether? > > > > Is disconnect ever called under the BH lock? Maybe plumb a bool > > argument through to ccid*_hc_tx_exit() and do a sk_stop_timer_sync() > > when called from disconnect()? > > > > Or do refcounting on ccid_priv so that the timer holds both the socket > > and the priv? > > Sorry about too late a response. I was on vacation, then came back and spent a > couple of days testing this further, and had to switch to other tasks. > > So, while testing this, I had to resort to tricks like having a very small > expire and enqueuing on a different CPU. Then, after some minutes, I hit a UAF. > That's with or without the first of the second patch. > > I also tried to refcount ccid instead of the socket, keeping the timer on the > ccid, but that still hit the UAF, and that's when I had to switch tasks. Hm, not instead, as well. I think trying cancel the timer _sync from the disconnect path would be the simplest solution, tho. > Oh, and in the meantime, I found one or two other fixes that we > should apply, will send them shortly. > > But I would argue that we should apply the revert as it addresses the > CVE, without really regressing the other UAF, as I argued. Does that > make sense? We can - it's always a little strange to go from one bug to a different without a fix - but the justification being that while the previous UAF required a race condition the new one is actually worst because it can be triggered reliably?