Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp326267pxu; Thu, 15 Oct 2020 05:07:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJya14cZOR4hE5JVGZrO1IgMV+1+nE/hiWNe/4N/opU17Jdj5CWjORmFkgUDVXYrvv1SaJC4 X-Received: by 2002:a17:906:4e86:: with SMTP id v6mr3990377eju.37.1602763664168; Thu, 15 Oct 2020 05:07:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602763664; cv=none; d=google.com; s=arc-20160816; b=LKnrs3wMJGPjLZKJT5MPsWGxHvtSDftqsXUKSUzYWaM5hUFAujeb0j0noJekI8cOzp eGbaXoquhJqg2Q00CzxgiXXlrGs12WlpUZgA9KHP2sXRwGwqBTlW35DOJBvTMgNFyWy0 XWMroUpDZ9+MmpNdLRd+6VpvuQGhenzgJuulJuFsruILVnkti59flW27asR/2UChPnYu woEZUcq8tqswvjBJNPD9QdhKZ/IAV8F1ffQUkV/6gpvz5g68URE+qGoOgEVYGmPDX93t Mo38eU18nGGGtHaBfbunwQQFmUTwP9XIGwQYWWGeUTTyNlJ90O+m9B3rBSWhmiTAuoWF RM/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=TsA75CZsZyNEB0TrReFs5MI/vgkvb9eur/CDLA46OhU=; b=D1Sgg3ZFxQLCi9By2OcWccynCbPthQMJnABA3FTIYO97+cYwdLYogbZ0LFLTTNLWkL Ddzj+OftaIQdMq0fRSyENCt23dJLnQmdyZ7I69ulabNE3MNwVGGAD3ACFpIXY5BGy5ze RUBqQqXo2d/aCQwYP43il0CiUnbtWz7K5s0LQNNIEY/rbuzH1X8P+ULLX5imuEuL6/4p imtgo2/nuYS55v2el2zYLxIa1N1MggabSD7YNjhnEcimIGftZIOPOTs+xCL/vbJ0+RGr EPUT6JXKolk0XruHZVUbXYT3OTDRxbUVf3DLIsa8vEreSgZVvBgXVbqbgltCT5fD4Uqq yVtA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id lu32si1817449ejb.570.2020.10.15.05.07.15; Thu, 15 Oct 2020 05:07:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729731AbgJOKyM (ORCPT + 99 others); Thu, 15 Oct 2020 06:54:12 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:32992 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727123AbgJOKyK (ORCPT ); Thu, 15 Oct 2020 06:54:10 -0400 Received: from 187-26-179-30.3g.claro.net.br ([187.26.179.30] helo=mussarela) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kT0ta-00072z-2p; Thu, 15 Oct 2020 10:54:06 +0000 Date: Thu, 15 Oct 2020 07:53:58 -0300 From: Thadeu Lima de Souza Cascardo To: Jakub Kicinski Cc: Kleber Sacilotto de Souza , netdev@vger.kernel.org, Gerrit Renker , "David S. Miller" , "Gustavo A. R. Silva" , "Alexander A. Klimov" , Kees Cook , Eric Dumazet , Alexey Kodanev , dccp@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 1/2] dccp: ccid: move timers to struct dccp_sock Message-ID: <20201015105358.GA367246@mussarela> References: <20201013171849.236025-1-kleber.souza@canonical.com> <20201013171849.236025-2-kleber.souza@canonical.com> <20201014204322.7a51c375@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201014204322.7a51c375@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 14, 2020 at 08:43:22PM -0700, Jakub Kicinski wrote: > On Tue, 13 Oct 2020 19:18:48 +0200 Kleber Sacilotto de Souza wrote: > > From: Thadeu Lima de Souza Cascardo > > > > When dccps_hc_tx_ccid is freed, ccid timers may still trigger. The reason > > del_timer_sync can't be used is because this relies on keeping a reference > > to struct sock. But as we keep a pointer to dccps_hc_tx_ccid and free that > > during disconnect, the timer should really belong to struct dccp_sock. > > > > This addresses CVE-2020-16119. > > > > Fixes: 839a6094140a (net: dccp: Convert timers to use timer_setup()) > > Presumably you chose this commit because the fix won't apply beyond it? > But it really fixes 2677d2067731 (dccp: don't free.. right? Well, it should also fix cases where dccps_hc_tx_ccid{,_private} has been freed right after the timer is stopped. So, we could add: Fixes: 2a91aa396739 ([DCCP] CCID2: Initial CCID2 (TCP-Like) implementation) Fixes: 7c657876b63c ([DCCP]: Initial implementation) But I wouldn't say that this fixes 2677d2067731, unless there is argument to say that it fixes it because it claimed to fix what is being fixed here. But even the code that it removed was supposed to be stopping the timer, so how could it ever fix what it was claiming to fix? Thanks. Cascardo. > > > Signed-off-by: Thadeu Lima de Souza Cascardo > > Signed-off-by: Kleber Sacilotto de Souza