Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp3511532pxb; Mon, 9 Nov 2020 13:11:46 -0800 (PST) X-Google-Smtp-Source: ABdhPJyMwlnnUtwMF9x4G6PoGsNQ+2hHezTxXQ5h2H6lNDtz/K9WWXR59cKhJIFQ8Is0G0STnK76 X-Received: by 2002:a17:906:46d2:: with SMTP id k18mr7610209ejs.33.1604956305828; Mon, 09 Nov 2020 13:11:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604956305; cv=none; d=google.com; s=arc-20160816; b=aUfALR5qXTxYFzZ9SzR1hm7Zr6NG3ztn6Ssd73Xu6J8/rKDgiDOtuI7UaTStx795N+ ujqvfQWDhDzRCtjlo1n8Er34p5bLGbmf6jU6HMlN+CwKsENJlPu22OcW+KV/q5lkQG1t exwziCTpvgnYuySDryz+KKIbKLyXVYSnukMoIo6QRwrhF9ud2iBh/R4xpIpINh9NCRp9 XDBWpR5419G9x/nhcjQwQoHgXr773GysUMY5Vf3z2TvSeDRFLrxpk0qnrH3/e60epqRR KCi2RElAbZNH/Yc8OX/a8bMtzKSNefqb2ch06OqidP9BM7jMqnswNLXpOL9/9Fs3r93o DdwQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=3jGVmDZaTZ+PN/KGvEYM/kHSiiDDTykLi4rTUE7458Q=; b=BbunAi6vysyzgJ/18GJ92/2feWqZpNS2vc/P6ilS6UuxuaNx/AutcwAj87VGxPJyHp 47U8mu/81PSp6V7l9/fsn3zRW/dN/9WuOdrGrsjzboI5spCu3IOxM37Dmi4sS9nZZtVm J/S/z/jvLampN1/TDmO5nV3dLrCM1tKr59XhAyPXf88wkLq1Z9qYDqn9OTbDcNGVHiMj koI3j6XZn5n2VawLYPdPHoXjCIHjplmb/zBbV0IVze0bG8B2L3JNpNqXZL5xbm7NUiE+ jtkU5ss9lMKozIUqVboW1fOoVaLkn6Ly1H3k272teP4Pg7xqAUMA9pbZoIlfJFlEStXc yfzQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m18si7562044ejb.604.2020.11.09.13.11.23; Mon, 09 Nov 2020 13:11:45 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730699AbgKIVJV (ORCPT + 99 others); Mon, 9 Nov 2020 16:09:21 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:37429 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725946AbgKIVJV (ORCPT ); Mon, 9 Nov 2020 16:09:21 -0500 Received: from 1.general.cascardo.us.vpn ([10.172.70.58] helo=mussarela) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kcEPb-0001YJ-TT; Mon, 09 Nov 2020 21:09:16 +0000 Date: Mon, 9 Nov 2020 18:09:09 -0300 From: Thadeu Lima de Souza Cascardo To: Jakub Kicinski Cc: Kleber Sacilotto de Souza , Eric Dumazet , netdev@vger.kernel.org, Gerrit Renker , "David S. Miller" , "Gustavo A. R. Silva" , "Alexander A. Klimov" , Kees Cook , Alexey Kodanev , dccp@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 1/2] dccp: ccid: move timers to struct dccp_sock Message-ID: <20201109210909.GQ595944@mussarela> References: <20201013171849.236025-1-kleber.souza@canonical.com> <20201013171849.236025-2-kleber.souza@canonical.com> <20201016153016.04bffc1e@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> <20201109114828.GP595944@mussarela> <20201109094938.45b230c9@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201109094938.45b230c9@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Nov 09, 2020 at 09:49:38AM -0800, Jakub Kicinski wrote: > On Mon, 9 Nov 2020 08:48:28 -0300 Thadeu Lima de Souza Cascardo wrote: > > On Fri, Oct 16, 2020 at 03:30:16PM -0700, Jakub Kicinski wrote: > > > On Tue, 13 Oct 2020 19:18:48 +0200 Kleber Sacilotto de Souza wrote: > > > > From: Thadeu Lima de Souza Cascardo > > > > > > > > When dccps_hc_tx_ccid is freed, ccid timers may still trigger. The reason > > > > del_timer_sync can't be used is because this relies on keeping a reference > > > > to struct sock. But as we keep a pointer to dccps_hc_tx_ccid and free that > > > > during disconnect, the timer should really belong to struct dccp_sock. > > > > > > > > This addresses CVE-2020-16119. > > > > > > > > Fixes: 839a6094140a (net: dccp: Convert timers to use timer_setup()) > > > > Signed-off-by: Thadeu Lima de Souza Cascardo > > > > Signed-off-by: Kleber Sacilotto de Souza > > > > > > I've been mulling over this fix. > > > > > > The layering violation really doesn't sit well. > > > > > > We're reusing the timer object. What if we are really unlucky, the > > > fires and gets blocked by a cosmic ray just as it's about to try to > > > lock the socket, then user manages to reconnect, and timer starts > > > again. Potentially with a different CCID algo altogether? > > > > > > Is disconnect ever called under the BH lock? Maybe plumb a bool > > > argument through to ccid*_hc_tx_exit() and do a sk_stop_timer_sync() > > > when called from disconnect()? > > > > > > Or do refcounting on ccid_priv so that the timer holds both the socket > > > and the priv? > > > > Sorry about too late a response. I was on vacation, then came back and spent a > > couple of days testing this further, and had to switch to other tasks. > > > > So, while testing this, I had to resort to tricks like having a very small > > expire and enqueuing on a different CPU. Then, after some minutes, I hit a UAF. > > That's with or without the first of the second patch. > > > > I also tried to refcount ccid instead of the socket, keeping the timer on the > > ccid, but that still hit the UAF, and that's when I had to switch tasks. > > Hm, not instead, as well. I think trying cancel the timer _sync from > the disconnect path would be the simplest solution, tho. > I don't think so. On other paths, we would still have the possibility that: CPU1: timer expires and is about to run CPU2: calls stop_timer (which does not stop anything) and frees ccid CPU1: timer runs and uses freed ccid And those paths, IIUC, may be run under a SoftIRQ on the receive path, so would not be able to call stop_timer_sync. > > Oh, and in the meantime, I found one or two other fixes that we > > should apply, will send them shortly. > > > > But I would argue that we should apply the revert as it addresses the > > CVE, without really regressing the other UAF, as I argued. Does that > > make sense? > > We can - it's always a little strange to go from one bug to a different > without a fix - but the justification being that while the previous UAF > required a race condition the new one is actually worst because it can > be triggered reliably? Well, I am arguing here that commit 2677d20677314101293e6da0094ede7b5526d2b1 ("dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()") doesn't really fix anything. Whenever ccid_hx_tx_delete is called, that UAF might happen, because the timer might trigger right after we free the ccid struct. And, yes, on the other hand, we can reliably launch the DoS attack that is fixed by the revert of that commit. Thanks. Cascardo.