mirror of
https://github.com/torvalds/linux.git
synced 2024-11-26 22:21:42 +00:00
8866730aed
AF_UNIX stream sockets are a paired socket. So sending on one of the pairs
will lookup the paired socket as part of the send operation. It is possible
however to put just one of the pairs in a BPF map. This currently increments
the refcnt on the sock in the sockmap to ensure it is not free'd by the
stack before sockmap cleans up its state and stops any skbs being sent/recv'd
to that socket.
But we missed a case. If the peer socket is closed it will be free'd by the
stack. However, the paired socket can still be referenced from BPF sockmap
side because we hold a reference there. Then if we are sending traffic through
BPF sockmap to that socket it will try to dereference the free'd pair in its
send logic creating a use after free. And following splat:
[59.900375] BUG: KASAN: slab-use-after-free in sk_wake_async+0x31/0x1b0
[59.901211] Read of size 8 at addr ffff88811acbf060 by task kworker/1:2/954
[...]
[59.905468] Call Trace:
[59.905787] <TASK>
[59.906066] dump_stack_lvl+0x130/0x1d0
[59.908877] print_report+0x16f/0x740
[59.910629] kasan_report+0x118/0x160
[59.912576] sk_wake_async+0x31/0x1b0
[59.913554] sock_def_readable+0x156/0x2a0
[59.914060] unix_stream_sendmsg+0x3f9/0x12a0
[59.916398] sock_sendmsg+0x20e/0x250
[59.916854] skb_send_sock+0x236/0xac0
[59.920527] sk_psock_backlog+0x287/0xaa0
To fix let BPF sockmap hold a refcnt on both the socket in the sockmap and its
paired socket. It wasn't obvious how to contain the fix to bpf_unix logic. The
primarily problem with keeping this logic in bpf_unix was: In the sock close()
we could handle the deref by having a close handler. But, when we are destroying
the psock through a map delete operation we wouldn't have gotten any signal
thorugh the proto struct other than it being replaced. If we do the deref from
the proto replace its too early because we need to deref the sk_pair after the
backlog worker has been stopped.
Given all this it seems best to just cache it at the end of the psock and eat 8B
for the af_unix and vsock users. Notice dgram sockets are OK because they handle
locking already.
Fixes: 94531cfcbe ("af_unix: Add unix_stream_proto for sockmap")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
Link: https://lore.kernel.org/bpf/20231129012557.95371-2-john.fastabend@gmail.com
109 lines
2.9 KiB
C
109 lines
2.9 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef __LINUX_NET_AFUNIX_H
|
|
#define __LINUX_NET_AFUNIX_H
|
|
|
|
#include <linux/socket.h>
|
|
#include <linux/un.h>
|
|
#include <linux/mutex.h>
|
|
#include <linux/refcount.h>
|
|
#include <net/sock.h>
|
|
|
|
void unix_inflight(struct user_struct *user, struct file *fp);
|
|
void unix_notinflight(struct user_struct *user, struct file *fp);
|
|
void unix_destruct_scm(struct sk_buff *skb);
|
|
void io_uring_destruct_scm(struct sk_buff *skb);
|
|
void unix_gc(void);
|
|
void wait_for_unix_gc(void);
|
|
struct sock *unix_get_socket(struct file *filp);
|
|
struct sock *unix_peer_get(struct sock *sk);
|
|
|
|
#define UNIX_HASH_MOD (256 - 1)
|
|
#define UNIX_HASH_SIZE (256 * 2)
|
|
#define UNIX_HASH_BITS 8
|
|
|
|
extern unsigned int unix_tot_inflight;
|
|
|
|
struct unix_address {
|
|
refcount_t refcnt;
|
|
int len;
|
|
struct sockaddr_un name[];
|
|
};
|
|
|
|
struct unix_skb_parms {
|
|
struct pid *pid; /* Skb credentials */
|
|
kuid_t uid;
|
|
kgid_t gid;
|
|
struct scm_fp_list *fp; /* Passed files */
|
|
#ifdef CONFIG_SECURITY_NETWORK
|
|
u32 secid; /* Security ID */
|
|
#endif
|
|
u32 consumed;
|
|
} __randomize_layout;
|
|
|
|
struct scm_stat {
|
|
atomic_t nr_fds;
|
|
};
|
|
|
|
#define UNIXCB(skb) (*(struct unix_skb_parms *)&((skb)->cb))
|
|
|
|
#define unix_state_lock(s) spin_lock(&unix_sk(s)->lock)
|
|
#define unix_state_unlock(s) spin_unlock(&unix_sk(s)->lock)
|
|
#define unix_state_lock_nested(s) \
|
|
spin_lock_nested(&unix_sk(s)->lock, \
|
|
SINGLE_DEPTH_NESTING)
|
|
|
|
/* The AF_UNIX socket */
|
|
struct unix_sock {
|
|
/* WARNING: sk has to be the first member */
|
|
struct sock sk;
|
|
struct unix_address *addr;
|
|
struct path path;
|
|
struct mutex iolock, bindlock;
|
|
struct sock *peer;
|
|
struct list_head link;
|
|
atomic_long_t inflight;
|
|
spinlock_t lock;
|
|
unsigned long gc_flags;
|
|
#define UNIX_GC_CANDIDATE 0
|
|
#define UNIX_GC_MAYBE_CYCLE 1
|
|
struct socket_wq peer_wq;
|
|
wait_queue_entry_t peer_wake;
|
|
struct scm_stat scm_stat;
|
|
#if IS_ENABLED(CONFIG_AF_UNIX_OOB)
|
|
struct sk_buff *oob_skb;
|
|
#endif
|
|
};
|
|
|
|
#define unix_sk(ptr) container_of_const(ptr, struct unix_sock, sk)
|
|
#define unix_peer(sk) (unix_sk(sk)->peer)
|
|
|
|
#define peer_wait peer_wq.wait
|
|
|
|
long unix_inq_len(struct sock *sk);
|
|
long unix_outq_len(struct sock *sk);
|
|
|
|
int __unix_dgram_recvmsg(struct sock *sk, struct msghdr *msg, size_t size,
|
|
int flags);
|
|
int __unix_stream_recvmsg(struct sock *sk, struct msghdr *msg, size_t size,
|
|
int flags);
|
|
#ifdef CONFIG_SYSCTL
|
|
int unix_sysctl_register(struct net *net);
|
|
void unix_sysctl_unregister(struct net *net);
|
|
#else
|
|
static inline int unix_sysctl_register(struct net *net) { return 0; }
|
|
static inline void unix_sysctl_unregister(struct net *net) {}
|
|
#endif
|
|
|
|
#ifdef CONFIG_BPF_SYSCALL
|
|
extern struct proto unix_dgram_proto;
|
|
extern struct proto unix_stream_proto;
|
|
|
|
int unix_dgram_bpf_update_proto(struct sock *sk, struct sk_psock *psock, bool restore);
|
|
int unix_stream_bpf_update_proto(struct sock *sk, struct sk_psock *psock, bool restore);
|
|
void __init unix_bpf_build_proto(void);
|
|
#else
|
|
static inline void __init unix_bpf_build_proto(void)
|
|
{}
|
|
#endif
|
|
#endif
|