Re: [PATCH] unix: avoid use-after-free in ep_remove_wait_queue

From: Rainer Weikusat
Date: Fri Nov 13 2015 - 14:06:46 EST

Next message: Luiz Capitulino: "Re: [PATCH RFC] ioctl based CAT interface"
Previous message: Laura Abbott: "Re: [PATCHv2 2/2] arm64: Allow changing of attributes outside of modules"
In reply to: Hannes Frederic Sowa: "Re: [PATCH] unix: avoid use-after-free in ep_remove_wait_queue"
Next in thread: Jason Baron: "Re: [PATCH] unix: avoid use-after-free in ep_remove_wait_queue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hannes Frederic Sowa <hannes@xxxxxxxxxxxxxxxxxxx> writes:
> On Wed, Nov 11, 2015, at 17:12, Rainer Weikusat wrote:
>> Hannes Frederic Sowa <hannes@xxxxxxxxxxxxxxxxxxx> writes:
>> > On Tue, Nov 10, 2015, at 22:55, Rainer Weikusat wrote:
>> >> An AF_UNIX datagram socket being the client in an n:1 association with
>> >> some server socket is only allowed to send messages to the server if the
>> >> receive queue of this socket contains at most sk_max_ack_backlog
>> >> datagrams.
>>
>> [...]
>>
>> > This whole patch seems pretty complicated to me.
>> >
>> > Can't we just remove the unix_recvq_full checks alltogether and unify
>> > unix_dgram_poll with unix_poll?
>> >
>> > If we want to be cautious we could simply make unix_max_dgram_qlen limit
>> > the number of skbs which are in flight from a sending socket. The skb
>> > destructor can then decrement this. This seems much simpler.
>> >
>> > Would this work?
>>
>> In the way this is intended to work, cf
>>
>> http://marc.info/?t=115627606000002&r=1&w=2
>
> Oh, I see, we don't limit closed but still referenced sockets. This
> actually makes sense on how fd handling is implemented, just as a range
> check.
>
> Have you checked if we can somehow deregister the socket in the poll
> event framework? You wrote that it does not provide such a function but
> maybe it would be easy to add?

I thought about this but this would amount to adding a general interface
for the sole purpose of enabling the af_unix code to talk to the
eventpoll code and I don't really like this idea: IMHO, there should be
at least two users (preferably three) before creating any kind of
'abstract interface'. An even more ideal "castle in the air"
(hypothetical) solution would be "change the eventpoll.c code such that
it won't be affected if a wait queue just goes away". That's at least
theoretically possible (although it might not be in practice).

I wouldn't mind doing that (assuming it was possible) if it was just
for the kernels my employer uses because I'm aware of the uses these
will be put to and in control of the corresponding userland code. But
for "general Linux code", changing epoll in order to help the af_unix
code is more potential trouble than it's worth: Exchanging a relatively
unimportant bug in some module for a much more visibly damaging bug in a
central facility would be a bad tradeoff.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Luiz Capitulino: "Re: [PATCH RFC] ioctl based CAT interface"
Previous message: Laura Abbott: "Re: [PATCHv2 2/2] arm64: Allow changing of attributes outside of modules"
In reply to: Hannes Frederic Sowa: "Re: [PATCH] unix: avoid use-after-free in ep_remove_wait_queue"
Next in thread: Jason Baron: "Re: [PATCH] unix: avoid use-after-free in ep_remove_wait_queue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]