Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp576925pxu; Thu, 15 Oct 2020 10:58:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwcABBBexuV6biQKp5ot9MlYcbqAAHpRc0C33WXhnfckMLAUvYFoJuiKet9V6F5X6rkhnRb X-Received: by 2002:a17:906:4cc2:: with SMTP id q2mr5947918ejt.422.1602784707712; Thu, 15 Oct 2020 10:58:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602784707; cv=none; d=google.com; s=arc-20160816; b=ONkn6lkFOLLo4yRJh21sNWuWJ4SsBFq/vjlj3KoFV+MlMWtEgSY9tbVtHe1ef/WXCH m6G3gatdSzi5yHl63qOwUo8wGAgcqZFXWPI4FE0/cQmqayCeeVJGtl5R1sWzEdCoJLq6 NWJkx79YHfGwjjHRRYc90rBCsbmeZjecZCFrH/88gzCAt1Xq50+J/19oM5OL4/xAoiTQ shd7T+z4G0enFPQmwfQ20dyF3NYzbJNRGZAImBWi5M5gKwpXJfgJO77b4LfCE5INqlki ORRZanEbI08NwJ07lvS0sRXOg8tiwcsK9EeG101cRBAvLk7ky7ALX7JzynfjN+A2ZnLL YEqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:autocrypt:from :references:cc:to:subject; bh=mwtKmR2fNubfkF8A5SPE3kKNfRmuqI9cZpPnRNk3eOA=; b=JFelshVnZC7ctalRXOC15mHwpaTlsd/dciQ4/E9hdB11RLCpJY2BygYQ0D1kjwjf/f DtuOTFavzTa3MK1F0v58F3jgOJZzpHVibsjF1j3hFKg7m3YqTjOKxvCyxvrAQgziKzCR g44eSi7DAGlP5is8QysTr52X7XU7QkD3xe/wedJWVQXpp94LYSDxJkWL+v0QDTML0D6m aZPreAeiH6rdp1KUUn0hDf6GEw35GGJUqTfNXgbFQ0VBgv3/HdIiM/lnvEBqVJjXpQA+ VbagNNBpeJ3Or4ZUL05Hy82XhvA+XbyGmE80VH43TKHP+I/0p+zWftkwS4dJ4ES2uDBI /NpQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ss5si2485976ejb.737.2020.10.15.10.57.59; Thu, 15 Oct 2020 10:58:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729343AbgJOJYA (ORCPT + 99 others); Thu, 15 Oct 2020 05:24:00 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:58687 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726426AbgJOJYA (ORCPT ); Thu, 15 Oct 2020 05:24:00 -0400 Received: from mail-ej1-f70.google.com ([209.85.218.70]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kSzUL-0007i5-9c for linux-kernel@vger.kernel.org; Thu, 15 Oct 2020 09:23:57 +0000 Received: by mail-ej1-f70.google.com with SMTP id c11so821127ejp.9 for ; Thu, 15 Oct 2020 02:23:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=mwtKmR2fNubfkF8A5SPE3kKNfRmuqI9cZpPnRNk3eOA=; b=X8DYmNiVE9UXiCRGtewSajL/IIUclQmUUhDJ1j6E0N0BDlCk+my7qLReuATIYntx+m BisMSgg4JuJYdBGb9s9hDpCx1jHyoCRKoN8OQWQDhw2e9WEAHogbevtrVnPHl3d83X4I 15rqHrPhKif5FpgwEyDTuAqzouJFEkxZ4fuQ6JYAogvXliiM0XmNkK/ftKLZ0xAv9lbP VW4o5m8v8UEQGBfMc867mxxrskVelgwX2L7C0mSFMgnDvf4rS7lV1vmBoOwRNX8pw6+7 R0VyHargRT8T4rvC6S19p6LX2fLXD6bM5AkxHdzfUnHwHqpMjBTjv4Z7bimKjs30LsOJ MEdw== X-Gm-Message-State: AOAM533G33HdeLPzpL68v8liEtgZXFaYfe9dI9wy+TEV/JfXHQ2iJKYO 62ais3uEQwdDTlqx2hibPxdtWJxoMZw4TCYi1HsC3i1pjZ7xr7gGSxwkraUG2uoLm43rccvxTNc 4sTZDFZw3pO8xbOVFBkDz0vuXOtH4oVm6m+lPks3Mtw== X-Received: by 2002:a50:9e87:: with SMTP id a7mr3347413edf.297.1602753836705; Thu, 15 Oct 2020 02:23:56 -0700 (PDT) X-Received: by 2002:a50:9e87:: with SMTP id a7mr3347396edf.297.1602753836445; Thu, 15 Oct 2020 02:23:56 -0700 (PDT) Received: from ?IPv6:2a02:8108:4640:10c0:6cbe:6d37:31ed:e54b? ([2a02:8108:4640:10c0:6cbe:6d37:31ed:e54b]) by smtp.gmail.com with ESMTPSA id r24sm1152157edm.95.2020.10.15.02.23.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 15 Oct 2020 02:23:55 -0700 (PDT) Subject: Re: [PATCH 2/2] Revert "dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()" To: Jakub Kicinski Cc: netdev@vger.kernel.org, Gerrit Renker , "David S. Miller" , Thadeu Lima de Souza Cascardo , "Gustavo A. R. Silva" , "Alexander A. Klimov" , Kees Cook , Eric Dumazet , Alexey Kodanev , dccp@vger.kernel.org, linux-kernel@vger.kernel.org References: <20201013171849.236025-1-kleber.souza@canonical.com> <20201013171849.236025-3-kleber.souza@canonical.com> <20201014204230.56cbfb12@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> From: Kleber Souza Autocrypt: addr=kleber.souza@canonical.com; prefer-encrypt=mutual; keydata= mQENBFjjmLgBCADW/wnobGtt4lIvs0nkVbvecpvmvH6j7oFy92KxnAVPr4akWmLwLHH8id1k tKJlR1KlINf089anZfIK9uC6lFWjlmrg94U+9zZHUlG+MdLeJrqRWJAxqjz2DT3EYq9vDpxt uLaZws5EAWvxswa9oTtbwIWA1sqeps5DWUw95zFGeaxS/hisdlywU5G+I/pKLNkwTMyjwICC gHuUvCNuuOt5ZDu3i6Z76XKedu6YyWSVquesMzWAt6XO3QTXLB2b67eqalxxbTSHdkzrt5sR Ai4BQhr5d3jziYWRK5tPi+nj72/kWv0C12WQqzSFOZ5rYEZu3Ypyu+t4AoTzJ1GpzZEhABEB AAG0NktsZWJlciBTYWNpbG90dG8gZGUgU291emEgPGtsZWJlci5zb3V6YUBjYW5vbmljYWwu Y29tPokBVwQTAQgAQQIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAIZARYhBPLtrW77uQZf 0wPbYUaq8zVw4RYrBQJd0827BQkG0WiDAAoJEEaq8zVw4RYrQ2wIAKsYBtAMQMO5iAL/soSw WtHduzSRllxK1E1bLyO6bc7SlUH5T7am3jCQ+1PyLMZXVkVDz7YJwCTmX3lb/IPjSuRXvBgQ 05P2IlfIRVd0P2sqQyUGcA5Uahd98z5ZS4jTOLZEOIT6KaQJGXFjQAnJSg5/A6IlCTrRC/2/ AKCBIyV0rLkuBMlLfVvRmXsjxz/Wi8KNCQ5ZjEUtnE6oIejnFAiyhNOxtDMCfPOh6uSoslp8 qlqpG5IoJAHYlTCeIak07OoFp8LtkiuGgDnQA2HuhUNt/5YGshPLFRgSFrhLQdW7qCtZRUA7 +mcJMEuaolhggv4yeDq5WLydwDdDpqUClK+5AQ0EWOOYuAEIAMJqK7zV//x1PaUVVnJiSoEZ FBCOoZelEajq4veDVUEUoOvXCVv93aQEnAZtb4wqAlGtZKGn74oaxgVjRLvUIUFWRf+FvcWh mzO2geaTmRQ4W5XdFeCymNmuwDVIH90ZjwFFZI5Mc6lFX8k4eBPhxNxXuhM+8rHWpiHVwUap /YqYxyvEP88BVrQqZQgwQjGVDE9PNIOwPUsYGdhSd+8lvFP2ygVR3BhlLT9aAJqsGRyQWEuj CA5/xyTRi1nfF/cAUQkfFCXHj0Hiddw0zTclBuWdZzqdQZwF64e4OwAy+XtJ6lYeuHM/Ztxg ebWFnWILqZLLowCwp2inyZeXC1IuTQcAEQEAAYkBHwQYAQgACQUCWOOYuAIbDAAKCRBGqvM1 cOEWK2ZQCACByBGwoXsqfSZB+lnkTp5dV1aQ+peC7T+I8GQKVvckFVv3lv73ibm1uBNrnRjO A6802JneP1M8Qo8h1olc0iXyXnIpnMz1dZBsj5VJoYRMes6UB96PuafdNKnVo6XYc9xE0QMR CIUoZ37nC7gMCgAhM5eY4SjMxjy8aXiNpWt7WGCZoCvRSrWn0CrWGvMriXbqHf5/PHhoOGCR rK1PlxFYriuuBtGUP/kAy2rzT4B5NywXrAHg4IrgMxEdYHy6LiutpSRKmFHwO4IAmB8pUrbe wJxW6Rkg2c10vzfvPChs8bedvyb8eioU19QS0prjxywrWie6fwT5NqGmE6Nv4+kA Message-ID: <686668d9-8d7a-1ad1-a210-0b6abaa8dc36@canonical.com> Date: Thu, 15 Oct 2020 11:23:53 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20201014204230.56cbfb12@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 15.10.20 05:42, Jakub Kicinski wrote: > On Tue, 13 Oct 2020 19:18:49 +0200 Kleber Sacilotto de Souza wrote: >> From: Thadeu Lima de Souza Cascardo >> >> This reverts commit 2677d20677314101293e6da0094ede7b5526d2b1. >> >> This fixes an issue that after disconnect, dccps_hc_tx_ccid will still be >> kept, allowing the socket to be reused as a listener socket, and the cloned >> socket will free its dccps_hc_tx_ccid, leading to a later use after free, >> when the listener socket is closed. >> >> This addresses CVE-2020-16119. >> >> Fixes: 2677d2067731 (dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()) >> Reported-by: Hadar Manor > > Does this person has an email address? We have received this report via a private Launchpad bug and the submitter didn't provide any public email address, so we have only their name. > >> Signed-off-by: Thadeu Lima de Souza Cascardo >> Signed-off-by: Kleber Sacilotto de Souza