Re: [PATCH net v3] sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket

Kuniyuki Iwashima <kuniyu@xxxxxxxxxx> · Mon, 11 Nov 2024 15:00:52 -0800

From: Chuck Lever <chuck.lever@xxxxxxxxxx>
Date: Mon, 11 Nov 2024 10:11:08 -0500
> > diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
> > index 6f272013fd9b..d4330aaadc23 100644
> > --- a/net/sunrpc/svcsock.c
> > +++ b/net/sunrpc/svcsock.c
> > @@ -1551,6 +1551,10 @@ static struct svc_xprt *svc_create_socket(struct svc_serv *serv,
> >  	newlen = error;
> >  
> >  	if (protocol == IPPROTO_TCP) {
> > +		__netns_tracker_free(net, &sock->sk->ns_tracker, false);
> > +		sock->sk->sk_net_refcnt = 1;
> > +		get_net_track(net, &sock->sk->ns_tracker, GFP_KERNEL);
> > +		sock_inuse_add(net, 1);
> 
> I'm not as familiar with net tracking as perhaps I should be. Can
> you tell me where this reference count is released, or does it not
> need to be?

It's decremented when the socket is destroyed in __sk_free().

> 
> Does the net reference count get carried over to sockets created
> by accept() ?

Yes, sk_clone_lock() creates a child socket that inherits the
listener's sk->sk_net_refcnt, then the child will call get_net_track().

  tcp_create_openreq_child
    inet_csk_clone_lock
      sk_clone_lock