Em 09-09-2015 21:16, David Miller escreveu:
From: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx>
Date: Wed, 9 Sep 2015 17:03:01 -0300
So the fix then is to invert the initialization order inside
register_pernet_subsys() so that the control socket is created by last
and also block socket creation if netns initialization wasn't yet
performed.
If we really need to we could make ->create() fail with -EAFNOSUPPORT
if kern==1 until the protocol is fully setup.
Or, instead of failing, we could make such ->create() calls block
until the control sock init is complete or fails.
I guess I should have written that paragraph in another order, perhaps like:
So the fix then is to deny any sctp socket creation until netns
initialization is sufficiently done. And due to that, we have to
initialize the control socket as last step in netns initialization, as
now it can't be created earlier anymore.
Is it clearer on the intention?
And my emphasis on userspace sockets was to highlight that a random user
could trigger it, but yes both users are affected by the issue.
Strictly speaking, we would have to block ->create() not until the
control socket init is done but until the protocol is fully loaded. Such
condition, with this patch, is after net->sctp.auto_asconf_splist is
initialized. But for blocking until instead of just denying, we would
need some other mechanism.
It would be better from the (sctp) user point of view but then such
solution may better belong to another layer instead and protect all
protocols at once. (I checked and couldn't find other protocols at risk
like sctp)
We have actually several visibility issues wrt. control sockets on
protocol init, in general.
For example, such control sockets can briefly be hashed and visible
to socket dumps and packet input.
A lot of really tricky issues involved here.
Agreed, but does these still apply after explaining that paragraph/the
solution? I had no intention on visiting these issues with this patch,
they are left unchanged, but I can if a better solution for the original
issue calls for it.
Marcelo
--
To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
