[Consult]kernel tcp socket lack of refcnt for net may cause uaf problem?

From: mengkanglai
Date: Tue Dec 19 2023 - 08:44:54 EST

Next message: Christoph Hellwig: "Re: [PATCH] dma-debug: make dma_debug_add_bus take a const pointer"
Previous message: Krzysztof Kozlowski: "Re: [PATCH] ASoC: dt-bindings: qcom,lpass-va-macro: remove spurious contains in if statement"
Next in thread: Kuniyuki Iwashima: "Re: [Consult]kernel tcp socket lack of refcnt for net may cause uaf problem?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello, Eric:

I found upstream have fixed a UAF issue (smc: Fix use-after-free in tcp_write_timer_handler()):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9744d2bf19762703704ecba885b7ac282c02eacf

When create a kernel socket use sock_create_kern , it won't call get_net() to increase refcnt for net where the socket is located.
I found some other subsystem(like rds and sunrpc) also use sock_create_kern to create kernel tcp socket, I want to know if they have same UAF problem?

Best wishes!

Next message: Christoph Hellwig: "Re: [PATCH] dma-debug: make dma_debug_add_bus take a const pointer"
Previous message: Krzysztof Kozlowski: "Re: [PATCH] ASoC: dt-bindings: qcom,lpass-va-macro: remove spurious contains in if statement"
Next in thread: Kuniyuki Iwashima: "Re: [Consult]kernel tcp socket lack of refcnt for net may cause uaf problem?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]