Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp1677162pxb; Thu, 7 Oct 2021 12:40:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxuFca2ZaLpZfXJlJ+fwxC4ytS5RTgmACMjifag9GxxMgWiOzDRXVyw3Pph8ISmOha8B6k5 X-Received: by 2002:a17:90a:1a19:: with SMTP id 25mr7575177pjk.34.1633635616894; Thu, 07 Oct 2021 12:40:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633635616; cv=none; d=google.com; s=arc-20160816; b=DWzZ1kKviGeM1xecxV6rzk50CxBWtOq+Ny8bQ7FyA7GmfN/XIwKfB3IH8mLirxI+ym rKqwMuMn+d3Vcb1QitaNK8tfxu9Z/CuczVRaYYjSIHoUsyG+vqp2A7DbDAbMuI33UGng 1bnx8dPIBzYjoZf8tlbeqUZZS2qHuKnk7piKGtyJOLhLaG8/mRkW4a2Csw4PC3s1rUud /u+NTYJ2pmTtYYz8aMP1EAk186yQV86q2W33qb5Oh59RSppcvPO0NM802TUaR8/ayKvK DVWwYtEFtQP6vr/d19SqqTQMMe9nekMDu3eN/PAwye5cA0F5bQah3OaBy2cJ4itsgDkC 5Baw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Y9D8Ve09aAWjj+21spNNEEpdiCF/o4uUCQG6xYqTvy0=; b=fQmBSWE48DWu5bsVgRglwIJLwJC3NbzrKxWoJDTGqEhcqhqGaEx5hRgWAcSK0w2VYy mkjkMba8Kb7iT4uoveq5ohpyYKPAdOG+FFw+dNi6M0JhS9IZTT81us9/WqRr1UqU97Dj fs1pcbL2G4K5jB0NPdyfgPI6kC7FzSqbTCWGo1LT9NBXnC2HWh1rY9xdYhCp0ne6ZHGO kEu6SSEHBHoR2Mzj2WMQ4xLPnftJfFuYnIGEdJ/LICLuyAViTlqM4+EfVnBY5JKcTv3F bYtHbifZAJQTiFm57dta/osDdiU09MFf8gVVdhPNCGa1TgwUvpxHuk2HElZ+YNDWVcwq /Plw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=aJUA2s1o; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m14si271631pgv.221.2021.10.07.12.40.03; Thu, 07 Oct 2021 12:40:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=aJUA2s1o; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233495AbhJGQAS (ORCPT + 99 others); Thu, 7 Oct 2021 12:00:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48802 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232860AbhJGQAR (ORCPT ); Thu, 7 Oct 2021 12:00:17 -0400 Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 360F1C061746 for ; Thu, 7 Oct 2021 08:58:23 -0700 (PDT) Received: by mail-lf1-x12c.google.com with SMTP id t9so25928357lfd.1 for ; Thu, 07 Oct 2021 08:58:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Y9D8Ve09aAWjj+21spNNEEpdiCF/o4uUCQG6xYqTvy0=; b=aJUA2s1oJfnDQydP436Ez5/VDQ0bYnvJGzTDPHsMfz50GmcIY3ivci62T5PubiH+SC aSGYTRD8Z1Y184KFqE6pXBWxSrDsfKQSg4DLvYciJJXanFulWp78RT/1A1GosY61yS6s g8wcnYosq6WcsuGkq70E0Fc1LUxahT25WV0eDwQYlobQTD8JiJQ40E2N6w9CqYP8K2k2 qNUtNd45iPv2QmfWyOR7V0mBgyfC5U64hu8JUlVd2rJ2JHRCN9H1UQkgSGgANmSQpz6W u7ugPWArHwKiOfRpjg+Vp8I1JvEfoMSXELBTEIs2j5opawevkN5mjkws7dDyfJi0VW7y XtmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Y9D8Ve09aAWjj+21spNNEEpdiCF/o4uUCQG6xYqTvy0=; b=iv3DOvNa9eT1253oTfdVbQi3edmgF6LHDG3TiqBiUXEXR/9w8Mz0Q+0an07MJo322E JWeTZhid+hA+wH5WfRjmvJK4BLPReW/KQn6B/rHSSpgXDmUBN3SxLUWa84NSJRpWAemG bJG3dMALLnQGhjKP5HpOVNfS+XnKKi4SN40q9yxxfONWl3LDu7wQvkF67miPmPlngr9w zBgdTmJ5GxwTrD4fELQQax0aJ9hfOuAxGhd73ccpFUNnZNxjod3HCrl4shiQ7ir54mNk 7PLAYGwCB83AXXmMWxPjUqgWi4JnUyH4K8ckCUYGUyKtBLELpnxaBytztMi1kdnm9Hfp MLgw== X-Gm-Message-State: AOAM533hVWNYdJaj2zQKkUcjvnLE0ppVvrNs1y5EOSJ99dVS7OhcIGfM UwRqLgLEX90Ef1bif6GQuH3p/cZS/50cMQYOzVUmjQ== X-Received: by 2002:ac2:4f01:: with SMTP id k1mr5053506lfr.157.1633622300810; Thu, 07 Oct 2021 08:58:20 -0700 (PDT) MIME-Version: 1.0 References: <20211004125031.530773667@linuxfoundation.org> <20211004125033.335733437@linuxfoundation.org> In-Reply-To: <20211004125033.335733437@linuxfoundation.org> From: Jann Horn Date: Thu, 7 Oct 2021 17:57:54 +0200 Message-ID: Subject: Re: [PATCH 4.14 54/75] af_unix: fix races in sk_peer_pid and sk_peer_cred accesses To: Greg Kroah-Hartman Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Eric Dumazet , "Eric W. Biederman" , Luiz Augusto von Dentz , Marcel Holtmann , "David S. Miller" , Sasha Levin Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 4, 2021 at 3:00 PM Greg Kroah-Hartman wrote: > > From: Eric Dumazet > > [ Upstream commit 35306eb23814444bd4021f8a1c3047d3cb0c8b2b ] > > Jann Horn reported that SO_PEERCRED and SO_PEERGROUPS implementations > are racy, as af_unix can concurrently change sk_peer_pid and sk_peer_cred. > > In order to fix this issue, this patch adds a new spinlock that needs > to be used whenever these fields are read or written. > > Jann also pointed out that l2cap_sock_get_peer_pid_cb() is currently > reading sk->sk_peer_pid which makes no sense, as this field > is only possibly set by AF_UNIX sockets. > We will have to clean this in a separate patch. > This could be done by reverting b48596d1dc25 "Bluetooth: L2CAP: Add get_peer_pid callback" > or implementing what was truly expected. > > Fixes: 109f6e39fa07 ("af_unix: Allow SO_PEERCRED to work across namespaces.") From what I can tell, this fix only went into the stable trees for >=4.14? SO_PEERGROUPS only appeared in 4.13, but the SO_PEERCRED in 4.4 and 4.9 seems to have exactly the same UAF read as it has on the newer kernels.