Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 24 Mar 2017 15:21:06 -0700
From: Eric Dumazet <edumazet@...gle.com>
To: Andrey Konovalov <andreyknvl@...gle.com>
Cc: oss-security@...ts.openwall.com, "David S. Miller" <davem@...emloft.net>, 
	Alexey Kuznetsov <kuznet@....inr.ac.ru>, James Morris <jmorris@...ei.org>, 
	Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>, Patrick McHardy <kaber@...sh.net>, 
	netdev <netdev@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, 
	Vasily Kulikov <segoon@...nwall.com>
Subject: Re: Linux kernel ping socket / AF_LLC connect()
 sin_family race

On Fri, Mar 24, 2017 at 1:43 PM, Andrey Konovalov <andreyknvl@...gle.com>
wrote:

> On Fri, Mar 24, 2017 at 9:27 PM, Solar Designer <solar@...nwall.com>
> wrote:
> > Hi,
> >
> > I haven't fully investigated this issue, and the Subject is provisional
> > (but will probably get stuck).  I am not yet sure which kernel
> > subsystem(s) to blame here (ping sockets? LLC sockets? other/more?), and
> > there might be other ways to trigger the issue.
>
> Reproduced the crash on current upstream
> (ebe64824e9de4b3ab3bd3928312b4b2bc57b4b7e).
>
> Adding kernel maintainers.
>

Looks easy enough to fix ?

diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index
2af6244b83e27ae384e96cf071c10c5a89674804..ccfbce13a6333a65dab64e4847dd510dfafb1b43
100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -156,17 +156,18 @@ int ping_hash(struct sock *sk)
 void ping_unhash(struct sock *sk)
 {
        struct inet_sock *isk = inet_sk(sk);
+
        pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
+       write_lock_bh(&ping_table.lock);
        if (sk_hashed(sk)) {
-               write_lock_bh(&ping_table.lock);
                hlist_nulls_del(&sk->sk_nulls_node);
                sk_nulls_node_init(&sk->sk_nulls_node);
                sock_put(sk);
                isk->inet_num = 0;
                isk->inet_sport = 0;
                sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
-               write_unlock_bh(&ping_table.lock);
        }
+       write_unlock_bh(&ping_table.lock);
 }
 EXPORT_SYMBOL_GPL(ping_unhash);

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.