Re: [Consult]kernel tcp socket lack of refcnt for net may cause uaf problem?

From: Kuniyuki Iwashima
Date: Tue Dec 19 2023 - 10:09:38 EST

Next message: Steven Rostedt: "Re: [PATCH] ring-buffer: Fix slowpath of interrupted event"
Previous message: Kalle Valo: "Re: [PATCH v3] wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices"
In reply to: mengkanglai: "[Consult]kernel tcp socket lack of refcnt for net may cause uaf problem?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: mengkanglai <mengkanglai2@xxxxxxxxxx>
Date: Tue, 19 Dec 2023 13:44:36 +0000
> Hello, Eric:
>
> I found upstream have fixed a UAF issue (smc: Fix use-after-free in
> tcp_write_timer_handler()):
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9744d2bf19762703704ecba885b7ac282c02eacf
>
> When create a kernel socket use sock_create_kern , it won't call get_net()
> to increase refcnt for net where the socket is located.
> I found some other subsystem(like rds and sunrpc) also use sock_create_kern
> to create kernel tcp socket, I want to know if they have same UAF problem?

You need to check if the subsystem itself holds net refcnt (not per socket)
and if it waits for TCP timer to be fired before destroying a socket.

It seems that runrpc holds net refcnt (xprt_net) and rds holds per-socket
net refcnt.

Next message: Steven Rostedt: "Re: [PATCH] ring-buffer: Fix slowpath of interrupted event"
Previous message: Kalle Valo: "Re: [PATCH v3] wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices"
In reply to: mengkanglai: "[Consult]kernel tcp socket lack of refcnt for net may cause uaf problem?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]