Stable Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 3.16-4.14] tcp: Clear sk_send_head after purging the write queue
@ 2019-08-13 11:53 Ben Hutchings
  2019-08-13 18:33 ` Greg Kroah-Hartman
  2019-08-20  2:11 ` Ben Hutchings
  0 siblings, 2 replies; 4+ messages in thread
From: Ben Hutchings @ 2019-08-13 11:53 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Sasha Levin
  Cc: stable, Denis Andzakovic, Salvatore Bonaccorso, Eric Dumazet

[-- Attachment #1: Type: text/plain, Size: 1870 bytes --]

Denis Andzakovic discovered a potential use-after-free in older kernel
versions, using syzkaller.  tcp_write_queue_purge() frees all skbs in
the TCP write queue and can leave sk->sk_send_head pointing to freed
memory.  tcp_disconnect() clears that pointer after calling
tcp_write_queue_purge(), but tcp_connect() does not.  It is
(surprisingly) possible to add to the write queue between
disconnection and reconnection, so this needs to be done in both
places.

This bug was introduced by backports of commit 7f582b248d0a ("tcp:
purge write queue in tcp_connect_init()") and does not exist upstream
because of earlier changes in commit 75c119afe14f ("tcp: implement
rb-tree based retransmit queue").  The latter is a major change that's
not suitable for stable.

Reported-by: Denis Andzakovic <denis.andzakovic@pulsesecurity.co.nz>
Bisected-by: Salvatore Bonaccorso <carnil@debian.org>
Fixes: 7f582b248d0a ("tcp: purge write queue in tcp_connect_init()")
Cc: <stable@vger.kernel.org> # before 4.15
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/net/tcp.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/include/net/tcp.h b/include/net/tcp.h
index fed2a78fb8cb..f9b985d4d779 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1517,6 +1517,8 @@ struct tcp_fastopen_context {
 	struct rcu_head		rcu;
 };
 
+static inline void tcp_init_send_head(struct sock *sk);
+
 /* write queue abstraction */
 static inline void tcp_write_queue_purge(struct sock *sk)
 {
@@ -1524,6 +1526,7 @@ static inline void tcp_write_queue_purge(struct sock *sk)
 
 	while ((skb = __skb_dequeue(&sk->sk_write_queue)) != NULL)
 		sk_wmem_free_skb(sk, skb);
+	tcp_init_send_head(sk);
 	sk_mem_reclaim(sk);
 	tcp_clear_all_retrans_hints(tcp_sk(sk));
 	inet_csk(sk)->icsk_backoff = 0;

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 3.16-4.14] tcp: Clear sk_send_head after purging the write queue
  2019-08-13 11:53 [PATCH 3.16-4.14] tcp: Clear sk_send_head after purging the write queue Ben Hutchings
@ 2019-08-13 18:33 ` Greg Kroah-Hartman
  2019-08-20  2:11 ` Ben Hutchings
  1 sibling, 0 replies; 4+ messages in thread
From: Greg Kroah-Hartman @ 2019-08-13 18:33 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: Sasha Levin, stable, Denis Andzakovic, Salvatore Bonaccorso,
	Eric Dumazet

On Tue, Aug 13, 2019 at 12:53:17PM +0100, Ben Hutchings wrote:
> Denis Andzakovic discovered a potential use-after-free in older kernel
> versions, using syzkaller.  tcp_write_queue_purge() frees all skbs in
> the TCP write queue and can leave sk->sk_send_head pointing to freed
> memory.  tcp_disconnect() clears that pointer after calling
> tcp_write_queue_purge(), but tcp_connect() does not.  It is
> (surprisingly) possible to add to the write queue between
> disconnection and reconnection, so this needs to be done in both
> places.
> 
> This bug was introduced by backports of commit 7f582b248d0a ("tcp:
> purge write queue in tcp_connect_init()") and does not exist upstream
> because of earlier changes in commit 75c119afe14f ("tcp: implement
> rb-tree based retransmit queue").  The latter is a major change that's
> not suitable for stable.
> 
> Reported-by: Denis Andzakovic <denis.andzakovic@pulsesecurity.co.nz>
> Bisected-by: Salvatore Bonaccorso <carnil@debian.org>
> Fixes: 7f582b248d0a ("tcp: purge write queue in tcp_connect_init()")
> Cc: <stable@vger.kernel.org> # before 4.15
> Cc: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
>  include/net/tcp.h | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/include/net/tcp.h b/include/net/tcp.h
> index fed2a78fb8cb..f9b985d4d779 100644
> --- a/include/net/tcp.h
> +++ b/include/net/tcp.h
> @@ -1517,6 +1517,8 @@ struct tcp_fastopen_context {
>  	struct rcu_head		rcu;
>  };
>  
> +static inline void tcp_init_send_head(struct sock *sk);
> +
>  /* write queue abstraction */
>  static inline void tcp_write_queue_purge(struct sock *sk)
>  {
> @@ -1524,6 +1526,7 @@ static inline void tcp_write_queue_purge(struct sock *sk)
>  
>  	while ((skb = __skb_dequeue(&sk->sk_write_queue)) != NULL)
>  		sk_wmem_free_skb(sk, skb);
> +	tcp_init_send_head(sk);
>  	sk_mem_reclaim(sk);
>  	tcp_clear_all_retrans_hints(tcp_sk(sk));
>  	inet_csk(sk)->icsk_backoff = 0;


Nice catch, thanks for this.  Now queued up everywhere.

greg k-h

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 3.16-4.14] tcp: Clear sk_send_head after purging the write queue
  2019-08-13 11:53 [PATCH 3.16-4.14] tcp: Clear sk_send_head after purging the write queue Ben Hutchings
  2019-08-13 18:33 ` Greg Kroah-Hartman
@ 2019-08-20  2:11 ` Ben Hutchings
  2019-08-20 13:27   ` Sasha Levin
  1 sibling, 1 reply; 4+ messages in thread
From: Ben Hutchings @ 2019-08-20  2:11 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Sasha Levin
  Cc: stable, Denis Andzakovic, Salvatore Bonaccorso, Eric Dumazet

[-- Attachment #1: Type: text/plain, Size: 2321 bytes --]

Sorry, this is the same issue that was already fixed by "tcp: reset
sk_send_head in tcp_write_queue_purge".  You can drop my version from
the queue for 4.4 and 4.9 and revert it for 4.14.

Ben.

On Tue, 2019-08-13 at 12:53 +0100, Ben Hutchings wrote:
> Denis Andzakovic discovered a potential use-after-free in older kernel
> versions, using syzkaller.  tcp_write_queue_purge() frees all skbs in
> the TCP write queue and can leave sk->sk_send_head pointing to freed
> memory.  tcp_disconnect() clears that pointer after calling
> tcp_write_queue_purge(), but tcp_connect() does not.  It is
> (surprisingly) possible to add to the write queue between
> disconnection and reconnection, so this needs to be done in both
> places.
> 
> This bug was introduced by backports of commit 7f582b248d0a ("tcp:
> purge write queue in tcp_connect_init()") and does not exist upstream
> because of earlier changes in commit 75c119afe14f ("tcp: implement
> rb-tree based retransmit queue").  The latter is a major change that's
> not suitable for stable.
> 
> Reported-by: Denis Andzakovic <denis.andzakovic@pulsesecurity.co.nz>
> Bisected-by: Salvatore Bonaccorso <carnil@debian.org>
> Fixes: 7f582b248d0a ("tcp: purge write queue in tcp_connect_init()")
> Cc: <stable@vger.kernel.org> # before 4.15
> Cc: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
>  include/net/tcp.h | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/include/net/tcp.h b/include/net/tcp.h
> index fed2a78fb8cb..f9b985d4d779 100644
> --- a/include/net/tcp.h
> +++ b/include/net/tcp.h
> @@ -1517,6 +1517,8 @@ struct tcp_fastopen_context {
>  	struct rcu_head		rcu;
>  };
>  
> +static inline void tcp_init_send_head(struct sock *sk);
> +
>  /* write queue abstraction */
>  static inline void tcp_write_queue_purge(struct sock *sk)
>  {
> @@ -1524,6 +1526,7 @@ static inline void tcp_write_queue_purge(struct sock *sk)
>  
>  	while ((skb = __skb_dequeue(&sk->sk_write_queue)) != NULL)
>  		sk_wmem_free_skb(sk, skb);
> +	tcp_init_send_head(sk);
>  	sk_mem_reclaim(sk);
>  	tcp_clear_all_retrans_hints(tcp_sk(sk));
>  	inet_csk(sk)->icsk_backoff = 0;
-- 
Ben Hutchings
Experience is what causes a person to make new mistakes
instead of old ones.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 3.16-4.14] tcp: Clear sk_send_head after purging the write queue
  2019-08-20  2:11 ` Ben Hutchings
@ 2019-08-20 13:27   ` Sasha Levin
  0 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2019-08-20 13:27 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: Greg Kroah-Hartman, stable, Denis Andzakovic,
	Salvatore Bonaccorso, Eric Dumazet

On Tue, Aug 20, 2019 at 03:11:37AM +0100, Ben Hutchings wrote:
>Sorry, this is the same issue that was already fixed by "tcp: reset
>sk_send_head in tcp_write_queue_purge".  You can drop my version from
>the queue for 4.4 and 4.9 and revert it for 4.14.

I've fixed it up, thanks Ben.

--
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-13 11:53 [PATCH 3.16-4.14] tcp: Clear sk_send_head after purging the write queue Ben Hutchings
2019-08-13 18:33 ` Greg Kroah-Hartman
2019-08-20  2:11 ` Ben Hutchings
2019-08-20 13:27   ` Sasha Levin

Stable Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/stable/0 stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ https://lore.kernel.org/stable \
		stable@vger.kernel.org stable@archiver.kernel.org
	public-inbox-index stable


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.stable


AGPL code for this site: git clone https://public-inbox.org/ public-inbox