stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ben Hutchings <ben@decadent.org.uk>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Sasha Levin <sashal@kernel.org>
Cc: stable@vger.kernel.org,
	Denis Andzakovic <denis.andzakovic@pulsesecurity.co.nz>,
	Salvatore Bonaccorso <carnil@debian.org>,
	Eric Dumazet <edumazet@google.com>
Subject: Re: [PATCH 3.16-4.14] tcp: Clear sk_send_head after purging the write queue
Date: Tue, 20 Aug 2019 03:11:37 +0100	[thread overview]
Message-ID: <41a61a2f87691d2bc839f26cdfe6f5ff2f51e472.camel@decadent.org.uk> (raw)
In-Reply-To: <20190813115317.6cgml2mckd3c6u7z@decadent.org.uk>

[-- Attachment #1: Type: text/plain, Size: 2321 bytes --]

Sorry, this is the same issue that was already fixed by "tcp: reset
sk_send_head in tcp_write_queue_purge".  You can drop my version from
the queue for 4.4 and 4.9 and revert it for 4.14.

Ben.

On Tue, 2019-08-13 at 12:53 +0100, Ben Hutchings wrote:
> Denis Andzakovic discovered a potential use-after-free in older kernel
> versions, using syzkaller.  tcp_write_queue_purge() frees all skbs in
> the TCP write queue and can leave sk->sk_send_head pointing to freed
> memory.  tcp_disconnect() clears that pointer after calling
> tcp_write_queue_purge(), but tcp_connect() does not.  It is
> (surprisingly) possible to add to the write queue between
> disconnection and reconnection, so this needs to be done in both
> places.
> 
> This bug was introduced by backports of commit 7f582b248d0a ("tcp:
> purge write queue in tcp_connect_init()") and does not exist upstream
> because of earlier changes in commit 75c119afe14f ("tcp: implement
> rb-tree based retransmit queue").  The latter is a major change that's
> not suitable for stable.
> 
> Reported-by: Denis Andzakovic <denis.andzakovic@pulsesecurity.co.nz>
> Bisected-by: Salvatore Bonaccorso <carnil@debian.org>
> Fixes: 7f582b248d0a ("tcp: purge write queue in tcp_connect_init()")
> Cc: <stable@vger.kernel.org> # before 4.15
> Cc: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
>  include/net/tcp.h | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/include/net/tcp.h b/include/net/tcp.h
> index fed2a78fb8cb..f9b985d4d779 100644
> --- a/include/net/tcp.h
> +++ b/include/net/tcp.h
> @@ -1517,6 +1517,8 @@ struct tcp_fastopen_context {
>  	struct rcu_head		rcu;
>  };
>  
> +static inline void tcp_init_send_head(struct sock *sk);
> +
>  /* write queue abstraction */
>  static inline void tcp_write_queue_purge(struct sock *sk)
>  {
> @@ -1524,6 +1526,7 @@ static inline void tcp_write_queue_purge(struct sock *sk)
>  
>  	while ((skb = __skb_dequeue(&sk->sk_write_queue)) != NULL)
>  		sk_wmem_free_skb(sk, skb);
> +	tcp_init_send_head(sk);
>  	sk_mem_reclaim(sk);
>  	tcp_clear_all_retrans_hints(tcp_sk(sk));
>  	inet_csk(sk)->icsk_backoff = 0;
-- 
Ben Hutchings
Experience is what causes a person to make new mistakes
instead of old ones.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

  parent reply	other threads:[~2019-08-20  2:11 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-13 11:53 Ben Hutchings
2019-08-13 18:33 ` Greg Kroah-Hartman
2019-08-20  2:11 ` Ben Hutchings [this message]
2019-08-20 13:27   ` Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=41a61a2f87691d2bc839f26cdfe6f5ff2f51e472.camel@decadent.org.uk \
    --to=ben@decadent.org.uk \
    --cc=carnil@debian.org \
    --cc=denis.andzakovic@pulsesecurity.co.nz \
    --cc=edumazet@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    --subject='Re: [PATCH 3.16-4.14] tcp: Clear sk_send_head after purging the write queue' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
on how to clone and mirror all data and code used for this inbox