Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp1562034pxu; Fri, 16 Oct 2020 15:40:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyTU81IB5uUG0DiWVPdJDuihIfSmlPqnG3i693ITLvGPdqhy2c7Lls/4JFTRGJIooYUCMjX X-Received: by 2002:a50:852a:: with SMTP id 39mr6671859edr.63.1602888035289; Fri, 16 Oct 2020 15:40:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602888035; cv=none; d=google.com; s=arc-20160816; b=XsqkgabfVw1NbD2DHcc9LsYgG4iNrFO6sJb8Om1a434XbUp3ZTw2p69H6dg7qMFizR 54QRKribuguRpxh33MubpQCcOtlXYhCySzXt3U3l7gnVLM3dGiTcvdwLHs49inip9cTH gKxC0i8O6m80n5FHthkdMW6KIjePCeTDUnJrh1hkocu0ylreQC5pob20U561AYpJPA31 SfUCO39jkNIWSmMKgIr81R59JGHm9wTLolOGcsvt6nODFyOenfbQV1cNmKv/J6ODwD4u m3NrRzfo5hjMjWowNvqdjopOpxJ+HgTVKUo5M0q4TrqWCTpE6Xr+o/dN3lX2k6mbNB6Q Ql5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=k8uRXjw9Sn+GiGf4FXKGLOnM5c29xYJxemJl5ABqQDI=; b=Dh8nDgfrxQZ2GbZCzTjaYx4cINzQDF6wwrigssnDQYmAU3wk6C7ONQDN49naeOluoq uinR2LKWWQBUu5DkKWzS6vx24eypEqh8ltv7tHMZLQCxJ4Hc1iTCBp4kzeeT1oP7TyAm Tcimjn2p9WDXoAzFTcLs8ojgk9quINrobw7aplewUvOIvG05FseXf/NDrFa9YSYaxcEI k9iu/bwD846uwjO+LMwt+oEFNeVsxaWFnuY1MIFLS4qEVNR5eZ96Z5w229m6uKddbIsu omBYCpDkpqaT1f1B+PyaWatSRak3mTTOWpkg8RozMXwdxZB5xga8c1M3N3tqOr4+2NAz TsbA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zXBcjuvE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p16si2558457ejw.561.2020.10.16.15.40.13; Fri, 16 Oct 2020 15:40:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zXBcjuvE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404602AbgJPWaU (ORCPT + 99 others); Fri, 16 Oct 2020 18:30:20 -0400 Received: from mail.kernel.org ([198.145.29.99]:44976 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391662AbgJPWaT (ORCPT ); Fri, 16 Oct 2020 18:30:19 -0400 Received: from kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com (unknown [163.114.132.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 224DC22201; Fri, 16 Oct 2020 22:30:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1602887418; bh=QIhm6rh4cFWdK4I5sF0Dg/mxr6d+MjeS/vGS3QZH7YE=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=zXBcjuvED6yQMnI0tG7rBKOnl0CHVmSdg48KolA4qhKETrRMpT3AVec63jl6jafpT 51Wq8VaVTZB7i4Mi+80RcniUj7dgC9FcPGaS+sRFoJ8hRGQZw/jKLdIVlahu7VZeFh N85Z8VOI81XAURJTkYJIkLRarQ7pIKQqtaAPBD+Q= Date: Fri, 16 Oct 2020 15:30:16 -0700 From: Jakub Kicinski To: Kleber Sacilotto de Souza , Eric Dumazet Cc: netdev@vger.kernel.org, Gerrit Renker , "David S. Miller" , Thadeu Lima de Souza Cascardo , "Gustavo A. R. Silva" , "Alexander A. Klimov" , Kees Cook , Alexey Kodanev , dccp@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 1/2] dccp: ccid: move timers to struct dccp_sock Message-ID: <20201016153016.04bffc1e@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> In-Reply-To: <20201013171849.236025-2-kleber.souza@canonical.com> References: <20201013171849.236025-1-kleber.souza@canonical.com> <20201013171849.236025-2-kleber.souza@canonical.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 13 Oct 2020 19:18:48 +0200 Kleber Sacilotto de Souza wrote: > From: Thadeu Lima de Souza Cascardo > > When dccps_hc_tx_ccid is freed, ccid timers may still trigger. The reason > del_timer_sync can't be used is because this relies on keeping a reference > to struct sock. But as we keep a pointer to dccps_hc_tx_ccid and free that > during disconnect, the timer should really belong to struct dccp_sock. > > This addresses CVE-2020-16119. > > Fixes: 839a6094140a (net: dccp: Convert timers to use timer_setup()) > Signed-off-by: Thadeu Lima de Souza Cascardo > Signed-off-by: Kleber Sacilotto de Souza I've been mulling over this fix. The layering violation really doesn't sit well. We're reusing the timer object. What if we are really unlucky, the fires and gets blocked by a cosmic ray just as it's about to try to lock the socket, then user manages to reconnect, and timer starts again. Potentially with a different CCID algo altogether? Is disconnect ever called under the BH lock? Maybe plumb a bool argument through to ccid*_hc_tx_exit() and do a sk_stop_timer_sync() when called from disconnect()? Or do refcounting on ccid_priv so that the timer holds both the socket and the priv?