Hello, Eric:
I found upstream have fixed a UAF issue (smc: Fix use-after-free in tcp_write_timer_handler()):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9744d2bf19762703704ecba885b7ac282c02eacf
When create a kernel socket use sock_create_kern , it won't call get_net() to increase refcnt for net where the socket is located.
I found some other subsystem(like rds and sunrpc) also use sock_create_kern to create kernel tcp socket, I want to know if they have same UAF problem?
Best wishes!
From: mengkanglai <[email protected]>
Date: Tue, 19 Dec 2023 13:44:36 +0000
> Hello, Eric:
>
> I found upstream have fixed a UAF issue (smc: Fix use-after-free in
> tcp_write_timer_handler()):
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9744d2bf19762703704ecba885b7ac282c02eacf
>
> When create a kernel socket use sock_create_kern , it won't call get_net()
> to increase refcnt for net where the socket is located.
> I found some other subsystem(like rds and sunrpc) also use sock_create_kern
> to create kernel tcp socket, I want to know if they have same UAF problem?
You need to check if the subsystem itself holds net refcnt (not per socket)
and if it waits for TCP timer to be fired before destroying a socket.
It seems that runrpc holds net refcnt (xprt_net) and rds holds per-socket
net refcnt.