diff mbox series

tcp: Fix Use-After-Free in tcp_ao_connect_init

Message ID ZiYu9NJ/ClR8uSkH@v4bel-B760M-AORUS-ELITE-AX (mailing list archive)
State Accepted
Commit 80e679b352c3ce5158f3f778cfb77eb767e586fb
Delegated to: Netdev Maintainers
Headers show
Series tcp: Fix Use-After-Free in tcp_ao_connect_init | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 8 this patch: 8
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers fail 2 blamed authors not CCed: noureddine@arista.com fruggeri@arista.com; 2 maintainers not CCed: noureddine@arista.com fruggeri@arista.com
netdev/build_clang success Errors and warnings before: 8 this patch: 8
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 8 this patch: 8
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 15 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-04-24--00-00 (tests: 994)

Commit Message

Hyunwoo Kim April 22, 2024, 9:33 a.m. UTC 
Since call_rcu, which is called in the hlist_for_each_entry_rcu traversal
of tcp_ao_connect_init, is not part of the RCU read critical section, it
is possible that the RCU grace period will pass during the traversal and
the key will be free.

To prevent this, it should be changed to hlist_for_each_entry_safe.

Fixes: 7c2ffaf21bd6 ("net/tcp: Calculate TCP-AO traffic keys")
Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
---
 net/ipv4/tcp_ao.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Eric Dumazet April 22, 2024, 10:39 a.m. UTC | #1 
On Mon, Apr 22, 2024 at 11:33 AM Hyunwoo Kim <v4bel@theori.io> wrote:
>
> Since call_rcu, which is called in the hlist_for_each_entry_rcu traversal
> of tcp_ao_connect_init, is not part of the RCU read critical section, it
> is possible that the RCU grace period will pass during the traversal and
> the key will be free.
>
> To prevent this, it should be changed to hlist_for_each_entry_safe.
>
> Fixes: 7c2ffaf21bd6 ("net/tcp: Calculate TCP-AO traffic keys")
> Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
> ---

Reviewed-by: Eric Dumazet <edumazet@google.com>

Thanks !
Dmitry Safonov April 22, 2024, 5:17 p.m. UTC | #2 
On Mon, 22 Apr 2024 at 10:33, Hyunwoo Kim <v4bel@theori.io> wrote:
>
> Since call_rcu, which is called in the hlist_for_each_entry_rcu traversal
> of tcp_ao_connect_init, is not part of the RCU read critical section, it
> is possible that the RCU grace period will pass during the traversal and
> the key will be free.
>
> To prevent this, it should be changed to hlist_for_each_entry_safe.
>
> Fixes: 7c2ffaf21bd6 ("net/tcp: Calculate TCP-AO traffic keys")
> Signed-off-by: Hyunwoo Kim <v4bel@theori.io>

Thank you,

Acked-by: Dmitry Safonov <0x7f454c46@gmail.com>


> ---
>  net/ipv4/tcp_ao.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
> index 3afeeb68e8a7..781b67a52571 100644
> --- a/net/ipv4/tcp_ao.c
> +++ b/net/ipv4/tcp_ao.c
> @@ -1068,6 +1068,7 @@ void tcp_ao_connect_init(struct sock *sk)
>  {
>         struct tcp_sock *tp = tcp_sk(sk);
>         struct tcp_ao_info *ao_info;
> +       struct hlist_node *next;
>         union tcp_ao_addr *addr;
>         struct tcp_ao_key *key;
>         int family, l3index;
> @@ -1090,7 +1091,7 @@ void tcp_ao_connect_init(struct sock *sk)
>         l3index = l3mdev_master_ifindex_by_index(sock_net(sk),
>                                                  sk->sk_bound_dev_if);
>
> -       hlist_for_each_entry_rcu(key, &ao_info->head, node) {
> +       hlist_for_each_entry_safe(key, next, &ao_info->head, node) {
>                 if (!tcp_ao_key_cmp(key, l3index, addr, key->prefixlen, family, -1, -1))
>                         continue;
>
> --
> 2.34.1
>


--
             Dmitry
patchwork-bot+netdevbpf@kernel.org April 24, 2024, 2:20 a.m. UTC | #3 
Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Mon, 22 Apr 2024 05:33:40 -0400 you wrote:
> Since call_rcu, which is called in the hlist_for_each_entry_rcu traversal
> of tcp_ao_connect_init, is not part of the RCU read critical section, it
> is possible that the RCU grace period will pass during the traversal and
> the key will be free.
> 
> To prevent this, it should be changed to hlist_for_each_entry_safe.
> 
> [...]

Here is the summary with links:
  - tcp: Fix Use-After-Free in tcp_ao_connect_init
    https://git.kernel.org/netdev/net/c/80e679b352c3

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
index 3afeeb68e8a7..781b67a52571 100644
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -1068,6 +1068,7 @@  void tcp_ao_connect_init(struct sock *sk)
 {
 	struct tcp_sock *tp = tcp_sk(sk);
 	struct tcp_ao_info *ao_info;
+	struct hlist_node *next;
 	union tcp_ao_addr *addr;
 	struct tcp_ao_key *key;
 	int family, l3index;
@@ -1090,7 +1091,7 @@  void tcp_ao_connect_init(struct sock *sk)
 	l3index = l3mdev_master_ifindex_by_index(sock_net(sk),
 						 sk->sk_bound_dev_if);
 
-	hlist_for_each_entry_rcu(key, &ao_info->head, node) {
+	hlist_for_each_entry_safe(key, next, &ao_info->head, node) {
 		if (!tcp_ao_key_cmp(key, l3index, addr, key->prefixlen, family, -1, -1))
 			continue;