On Tue, Dec 05, 2023 at 06:08:29PM +0100, Jann Horn wrote: > On Tue, Dec 5, 2023 at 5:40 PM Jann Horn <jannh@xxxxxxxxxx> wrote: > > > > Hi! > > > > I think this code is racy, but testing that seems like a pain... > > > > owner_mt() in xt_owner runs in context of a NF_INET_LOCAL_OUT or > > NF_INET_POST_ROUTING hook. It first checks that sk->sk_socket is > > non-NULL, then checks that sk->sk_socket->file is non-NULL, then > > accesses the ->f_cred of that file. > > > > I don't see anything that protects this against a concurrent > > sock_orphan(), which NULLs out the sk->sk_socket pointer, if we're in > > Ah, and all the other users of ->sk_socket in net/netfilter/ do it > under the sk_callback_lock... so I guess the fix would be to add the > same in owner_mt? In your other mail you wrote: > I also think we have no guarantee here that the socket's ->file won't > go away due to a concurrent __sock_release(), which could cause us to > continue reading file credentials out of a file whose refcount has > already dropped to zero? Is this an independent worry or can the concurrent __sock_release() issue only happen due to a sock_orphan() having happened first? I think that it requires a sock_orphan() having happend, presumably because the socket gets marked SOCK_DEAD and can thus be released via __sock_release() asynchronously? If so then taking sk_callback_lock() in owner_mt() should fix this. (Otherwise we might need an additional get_active_file() on sk->sk_socker->file in owner_mt() in addition to the other fix.)
