From: "Yan, Zheng" <zheng.z.yan@intel.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Tim Chen <tim.c.chen@linux.intel.com>,
"sedat.dilek@gmail.com" <sedat.dilek@gmail.com>,
"Yan, Zheng" <yanzheng@21cn.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"davem@davemloft.net" <davem@davemloft.net>,
"sfr@canb.auug.org.au" <sfr@canb.auug.org.au>,
"jirislaby@gmail.com" <jirislaby@gmail.com>,
"Shi, Alex" <alex.shi@intel.com>,
Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
Subject: Re: [PATCH -next v2] unix stream: Fix use-after-free crashes
Date: Thu, 08 Sep 2011 14:22:17 +0800 [thread overview]
Message-ID: <4E685F19.6030407@intel.com> (raw)
In-Reply-To: <1315461572.2532.7.camel@edumazet-laptop>
On 09/08/2011 01:59 PM, Eric Dumazet wrote:
> Le mercredi 07 septembre 2011 à 14:06 -0700, Tim Chen a écrit :
>> On Thu, 2011-09-08 at 08:27 +0800, Yan, Zheng wrote:
>>
>>>> err = -EPIPE;
>>>> out_err:
>>>> - if (skb == NULL)
>>>> + if (!steal_refs)
>>>> scm_destroy(siocb->scm);
>>>
>>> I think we should call scm_release() here in the case of
>>> steal_refs == true. Otherwise siocb->scm->fp may leak.
>>
>> Yan Zheng,
>>
>> I've updated the patch. If it looks good to you now, can you add your
>> Signed-off-by to the patch. Pending Sedat's testing on this patch,
>> I think it is good to go.
>>
>> Tim
>>
>> ---
>> Commit 0856a30409 (Scm: Remove unnecessary pid & credential references
>> in Unix socket's send and receive path) introduced a use-after-free bug.
>> The sent skbs from unix_stream_sendmsg could be consumed and destructed
>> by the receive side, removing all references to the credentials,
>> before the send side has finished sending out all
>> packets. However, send side could continue to consturct new packets in the
>> stream, using credentials that have lost its last reference and been
>> freed.
>>
>> In this fix, we don't steal the reference to credentials we have obtained
>> in scm_send at beginning of unix_stream_sendmsg, till we've reached
>> the last packet. This fixes the problem in commit 0856a30409.
>>
>> Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
>> Reported-by: Jiri Slaby <jirislaby@gmail.com>
>> Tested-by: Sedat Dilek <sedat.dilek@googlemail.com>
>> Tested-by: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
>> ---
>> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
>> index 136298c..47780dc 100644
>> --- a/net/unix/af_unix.c
>> +++ b/net/unix/af_unix.c
>> @@ -1383,10 +1383,11 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
>> }
>>
>> static int unix_scm_to_skb(struct scm_cookie *scm, struct sk_buff *skb,
>> - bool send_fds, bool ref)
>> + bool send_fds, bool steal_refs)
>> {
>> int err = 0;
>> - if (ref) {
>> +
>> + if (!steal_refs) {
>> UNIXCB(skb).pid = get_pid(scm->pid);
>> UNIXCB(skb).cred = get_cred(scm->cred);
>> } else {
>> @@ -1458,7 +1459,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
>> if (skb == NULL)
>> goto out;
>>
>> - err = unix_scm_to_skb(siocb->scm, skb, true, false);
>> + err = unix_scm_to_skb(siocb->scm, skb, true, true);
>> if (err < 0)
>> goto out_free;
>> max_level = err + 1;
>> @@ -1581,6 +1582,7 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
>> int sent = 0;
>> struct scm_cookie tmp_scm;
>> bool fds_sent = false;
>> + bool steal_refs = false;
>> int max_level;
>>
>> if (NULL == siocb->scm)
>> @@ -1642,11 +1644,14 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
>> size = min_t(int, size, skb_tailroom(skb));
>>
>>
>> - /* Only send the fds and no ref to pid in the first buffer */
>> - err = unix_scm_to_skb(siocb->scm, skb, !fds_sent, fds_sent);
>> + /* Only send the fds in first buffer
>> + * Last buffer can steal our references to pid/cred
>> + */
>> + steal_refs = (sent + size >= len);
>> + err = unix_scm_to_skb(siocb->scm, skb, !fds_sent, steal_refs);
>> if (err < 0) {
>> kfree_skb(skb);
>> - goto out;
>> + goto out_err;
>> }
>> max_level = err + 1;
>> fds_sent = true;
>> @@ -1654,7 +1659,7 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
>> err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);
>> if (err) {
>> kfree_skb(skb);
>> - goto out;
>> + goto out_err;
>> }
>>
>> unix_state_lock(other);
>> @@ -1671,7 +1676,7 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
>> sent += size;
>> }
>>
>> - if (skb)
>> + if (steal_refs)
>> scm_release(siocb->scm);
>> else
>> scm_destroy(siocb->scm);
>> @@ -1687,9 +1692,10 @@ pipe_err:
>> send_sig(SIGPIPE, current, 0);
>> err = -EPIPE;
>> out_err:
>> - if (skb == NULL)
>> + if (steal_refs)
>> + scm_release(siocb->scm);
>> + else
>> scm_destroy(siocb->scm);
>> -out:
>> siocb->scm = NULL;
>> return sent ? : err;
>> }
>>
>>
>>
>
> I dont think this patch is good.
>
> Sedat traces have nothing to do with af_unix.
>
> Once unix_scm_to_skb() was called and successful, and steal_refs is true
> our refs are attached to this skb. They will be released by
> skb_free(skb). Same for fp : They either were sent in a previous skb or
> this one.
>
> This is why the "goto out;" was OK.
>
I don't think so. unix_scm_to_skb() calls unix_attach_fds(), it
always duplicates scm->fp.
Regards
next prev parent reply other threads:[~2011-09-08 6:22 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-04 5:44 [PATCH -next v2] unix stream: Fix use-after-free crashes Yan, Zheng
2011-09-04 7:12 ` Sedat Dilek
2011-09-04 8:23 ` Yan, Zheng
2011-09-04 15:50 ` Joe Perches
2011-09-06 16:39 ` Tim Chen
2011-09-06 16:25 ` Tim Chen
2011-09-06 17:40 ` Eric Dumazet
2011-09-06 18:50 ` Tim Chen
2011-09-06 19:01 ` Eric Dumazet
2011-09-06 19:33 ` Tim Chen
2011-09-06 19:43 ` Eric Dumazet
2011-09-06 19:59 ` Tim Chen
2011-09-06 20:19 ` Eric Dumazet
2011-09-06 22:08 ` Tim Chen
2011-09-07 2:35 ` Eric Dumazet
2011-09-06 23:09 ` Yan, Zheng
2011-09-07 2:55 ` Eric Dumazet
2011-09-16 23:35 ` David Miller
2011-09-16 16:50 ` Tim Chen
2011-09-19 7:57 ` Eric Dumazet
2011-09-07 4:36 ` Yan, Zheng
2011-09-07 5:08 ` Eric Dumazet
2011-09-07 5:20 ` Yan, Zheng
[not found] ` <1315381503.3400.85.camel@edumazet-laptop>
2011-09-07 12:01 ` Tim Chen
2011-09-07 20:12 ` Sedat Dilek
2011-09-07 20:30 ` Sedat Dilek
2011-09-07 14:37 ` Tim Chen
2011-09-08 0:27 ` Yan, Zheng
2011-09-07 21:06 ` Tim Chen
2011-09-07 21:15 ` Tim Chen
2011-09-08 6:21 ` Eric Dumazet
2011-09-08 4:18 ` Yan, Zheng
2011-09-08 5:59 ` Eric Dumazet
2011-09-08 6:22 ` Yan, Zheng [this message]
2011-09-08 7:11 ` Eric Dumazet
2011-09-08 7:23 ` Yan, Zheng
2011-09-08 7:33 ` Eric Dumazet
2011-09-08 9:59 ` Sedat Dilek
2011-09-08 13:21 ` [PATCH net-next v3] af_unix: " Eric Dumazet
2011-09-08 8:37 ` Tim Chen
2011-09-09 6:51 ` Eric Dumazet
2011-09-09 7:58 ` [PATCH net-next] af_unix: fix use after free in unix_stream_recvmsg() Eric Dumazet
2011-09-09 10:39 ` Tim Chen
2011-09-09 10:41 ` [PATCH net-next v3] af_unix: Fix use-after-free crashes Tim Chen
2011-09-08 7:56 ` [PATCH -next v2] unix stream: " Jiri Slaby
2011-09-08 8:43 ` Sedat Dilek
2011-09-08 7:02 ` Sedat Dilek
2011-09-07 21:26 ` Eric Dumazet
2011-09-08 13:28 ` Eric Dumazet
2011-09-08 9:24 ` Tim Chen
2011-09-09 5:06 ` [PATCH net-next] af_unix: dont send SCM_CREDENTIALS by default Eric Dumazet
2011-09-12 19:15 ` Tim Chen
2011-09-19 1:07 ` David Miller
2011-09-19 4:28 ` Eric Dumazet
2011-09-19 15:02 ` Eric Dumazet
2011-09-19 15:52 ` [PATCH v2 " Eric Dumazet
2011-09-19 21:39 ` Tim Chen
2011-09-20 2:10 ` Valdis.Kletnieks
2011-09-20 4:16 ` Eric Dumazet
2011-09-22 16:15 ` tim
2011-11-28 13:23 ` Michal Schmidt
2011-11-28 13:38 ` Eric Dumazet
2011-09-28 17:30 ` David Miller
2011-09-08 10:05 ` [PATCH -next v2] unix stream: Fix use-after-free crashes Sedat Dilek
2011-09-08 8:50 ` Tim Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E685F19.6030407@intel.com \
--to=zheng.z.yan@intel.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=alex.shi@intel.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=jirislaby@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=sedat.dilek@gmail.com \
--cc=sfr@canb.auug.org.au \
--cc=tim.c.chen@linux.intel.com \
--cc=yanzheng@21cn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).