Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp412140rdb; Tue, 5 Dec 2023 08:42:29 -0800 (PST) X-Google-Smtp-Source: AGHT+IH796BUgc84sCMemSxklPVL/KU/hsY1J86jsrQVD+48BbVtznflYrbApKHOIDp44xnqaTxF X-Received: by 2002:a17:902:6b09:b0:1d0:8514:cd18 with SMTP id o9-20020a1709026b0900b001d08514cd18mr4915568plk.21.1701794549609; Tue, 05 Dec 2023 08:42:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701794549; cv=none; d=google.com; s=arc-20160816; b=dhZOfleOulHA8iBfA9a3FMjPirbsLwk0l/DV80H/49nyYTw9mSvopczurXtowc9KWE mayDifxX2kYZ0cKarpggJqtErXHo0XeOvJzsKDpcfyEz+79IfH0cTagT6e6QJK4TsQan Qu1r3ia0Rgp/6GQVUuYZCPCk6PyPde5VJ2AP/9/1ZaXoi2mTRn32p4h1Ui8DJ8lRq/mc +S8Dp0BMQDA+o2p2cGtB7XJjK8EktMJB+Brg89AiowyYfSSo2A+7wpjLu4NHgEOMvWqp AgZPWnc45/jYQjuiGUkS/Wvw2CMOsM7rikOT+9NhD3p2knsPBvOI41iTBpLDad7D2bxJ w6Ew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:mime-version :dkim-signature; bh=KYuKDd43mihty8rCENfkyLSyPMUXOf0NuMsF2cC2c1Q=; fh=VbWzGLDC/uZdqe7cth40nbZOM8HkmwYldETQb0yo044=; b=NxZ+n5g17P0QSSfhFhb2PKrsJAkB9/jbJe+GVqQmNg0ZWa+6C8LW9T0MzHN/3th03t 5nAZSX1TI+Hux5T+HczpVDaYPZhtVQw4ckfmXrSBEvxMZ4srvlIgCFnWG3soIw6mhhYW dWmzICN7j+wcLPviEY68E8KgGPR+HwphJ/cuR1yK29QTmK8MvqOzYejtaUhrRFlz9vcz lFi0CnOkVjvIuBELWHG9RVIKvQJkdQ7HWJAgnUAA8S0nVDvMAHtOh+90xSJVokGOat6G ffsEFztC1kKGQ25R7yQPnLktp4p6O2XlFI8f/r9W1ILCkU0i82R66jKh8jmA743e5rr6 sSSA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=UvBsFx+8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from morse.vger.email (morse.vger.email. [23.128.96.31]) by mx.google.com with ESMTPS id h2-20020a170902f54200b001cf54c7adb7si8270902plf.20.2023.12.05.08.42.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Dec 2023 08:42:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) client-ip=23.128.96.31; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=UvBsFx+8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 8A3BC80998B7; Tue, 5 Dec 2023 08:41:11 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229710AbjLEQk6 (ORCPT + 99 others); Tue, 5 Dec 2023 11:40:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58824 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229643AbjLEQk4 (ORCPT ); Tue, 5 Dec 2023 11:40:56 -0500 Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 409F8194 for ; Tue, 5 Dec 2023 08:41:02 -0800 (PST) Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-54c79cca895so16301a12.0 for ; Tue, 05 Dec 2023 08:41:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1701794461; x=1702399261; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=KYuKDd43mihty8rCENfkyLSyPMUXOf0NuMsF2cC2c1Q=; b=UvBsFx+8TxLRN0RT7keZP3llVew5qsUEKO2IcxTrmbBGHgPazqOgPYZ73lWjpNLbDM GdA0ZlV2LC1uJEECClukfXOhvPzeKE+XUaE5fqQw18NWPiWozyy9mHDVNHq1R+T4IE2+ 8+XMTjqvdZaPTB6CSxLPH67A2zZwOlAi90kU/Dj3VGPBa+xMfK0M+UIplPlZrRlAJrd6 6BvDfus8SZ6t5wSPhVOtPrREELiRmmf0vBAqheH7V61ezEtAMv2fxiZ+KP/rZ8HqzSxs yPMSseIl8qeXVurlUGX+RkSy8YTEhAjdvwXrqQug4rSdd8kQ/OAHTy6y8j8pt1nR1eSl aepg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701794461; x=1702399261; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=KYuKDd43mihty8rCENfkyLSyPMUXOf0NuMsF2cC2c1Q=; b=Cy1ZIyrm/AIjTe7MFzUaCfJQEmYGRKLIv6B0LHkkoQ61jMKe0JsMxnK1xOatclFIQ6 yweAfwzhidK0S30Cy1SFfqtktd2neSNLPa8YubkxUl3W4JZAHvDGTzDu0WDSdDfjFGF6 odDObhxaHcYO0/L1+8z6jm29P/rMzax41/0xRElSKb4eH+KGG3xUEATwNllfBOtknL5u 72eJpqLwAhV71I38FsmUmFL+Ca97sXMViyyEblP3lREmCQuzxvJhgwWGMhK6ZnNuNSIC f0/NupY0OTHJ0czPTHv7Wpb+p6g/YDuYPjbtVNeHDYBko5diq1OL3mrwLtxXWuALK/7l KiIw== X-Gm-Message-State: AOJu0Yzynh3flpvSlGnE8bCi8elGoG6j9Y+CY0Q672eXf6sQxIbzds1S V+RXCQU0FyXR4or0iYlU99QRr49MWiW2OW4v5BUGJg== X-Received: by 2002:a05:6402:22c4:b0:54c:f4fd:3427 with SMTP id dm4-20020a05640222c400b0054cf4fd3427mr207622edb.7.1701794460589; Tue, 05 Dec 2023 08:41:00 -0800 (PST) MIME-Version: 1.0 From: Jann Horn Date: Tue, 5 Dec 2023 17:40:24 +0100 Message-ID: Subject: Is xt_owner's owner_mt() racy with sock_orphan()? [worse with new TYPESAFE_BY_RCU file lifetime?] To: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , netfilter-devel , coreteam@netfilter.org Cc: Christian Brauner , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Network Development , kernel list Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Tue, 05 Dec 2023 08:41:11 -0800 (PST) Hi! I think this code is racy, but testing that seems like a pain... owner_mt() in xt_owner runs in context of a NF_INET_LOCAL_OUT or NF_INET_POST_ROUTING hook. It first checks that sk->sk_socket is non-NULL, then checks that sk->sk_socket->file is non-NULL, then accesses the ->f_cred of that file. I don't see anything that protects this against a concurrent sock_orphan(), which NULLs out the sk->sk_socket pointer, if we're in the context of a TCP retransmit or something like that. So I think we can theoretically have a NULL deref, though the compiler will probably optimize it away by merging the two loads of sk->sk_socket: static bool owner_mt(const struct sk_buff *skb, struct xt_action_param *par) { [...] const struct file *filp; struct sock *sk = skb_to_full_sk(skb); [...] if (!sk || !sk->sk_socket || !net_eq(net, sock_net(sk))) return (info->match ^ info->invert) == 0; else if (info->match & info->invert & XT_OWNER_SOCKET) [...] // concurrent sock_orphan() while we're here // null deref on second access to sk->sk_socket filp = sk->sk_socket->file; if (filp == NULL) [...] [...] } (Sidenote: I guess this also means xt_owner will treat a sock as having no owner as soon as it is orphaned? Which probably means that when a TCP socket enters linger state because it is close()d with data remaining in the output buffer, the remaining packets will be treated differently by netfilter?) I also think we have no guarantee here that the socket's ->file won't go away due to a concurrent __sock_release(), which could cause us to continue reading file credentials out of a file whose refcount has already dropped to zero? That was probably working sorta okay-ish in practice until now because files had RCU lifetime, "struct cred" also normally has RCU lifetime, and nf_hook() runs in an RCU read-side critical section; but now that "struct file" uses SLAB_TYPESAFE_BY_RCU, I think we can theoretically race such that the "struct file" could have been freed and reallocated in the meantime, causing us to see an entirely unrelated "struct file" and look at creds that are unrelated to the context from which the packet was sent. But again, I haven't actually tested this yet, I might be getting it wrong.