Page MenuHomeFreeBSD
Differential D24332

Handle disconnected sockets in uipc_ready().
ClosedPublic
Actions

Authored by markj on Apr 7 2020, 9:53 PM.
Tags
None
Referenced Files
Unknown Object (File)
Oct 20 2024, 9:34 PM
Unknown Object (File)
Oct 3 2024, 12:37 PM
Unknown Object (File)
Sep 22 2024, 11:38 AM
Unknown Object (File)
Sep 18 2024, 11:06 PM
Unknown Object (File)
Sep 8 2024, 12:57 AM
Unknown Object (File)
Sep 7 2024, 10:10 PM
Unknown Object (File)
Sep 7 2024, 4:09 PM
Unknown Object (File)
Sep 5 2024, 9:37 AM
View All 58 Files
Subscribers
imp

Details

Reviewers
glebius
kib
jah
Commits
rS359778: Properly handle disconnected sockets in uipc_ready().
Summary

When transmitting over a unix socket, data is placed directly into the
receiving socket's receive buffer, instead of the transmitting socket's
send buffer. This means that when pru_ready is called during
sendfile(), the passed socket does not contain M_NOTREADY mbufs in its
buffers; uipc_ready() must locate the linked socket.

Currently uipc_ready() frees the mbufs if the socket is disconnected,
but this is wrong since the mbufs may still be present in the receiving
socket's buffer after a disconnect. This can result in a use-after-free
and potentially a double free if the receive buffer is flushed after
uipc_ready() frees the mbufs.

Fix the problem by trying harder to locate the correct socket buffer and
calling sbready(): use the global list of SOCK_STREAM unix sockets to
search for a sockbuf containing the now-ready mbufs. Only free the
mbufs if we fail this search.

Test Plan

Peter and I came up with a test case that triggers a use-after-free:
uipc_ready() frees the mbufs after the connection is dropped, and
then unp_dispose() crashes while scanning buffered data.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.Apr 7 2020, 9:53 PM
Harbormaster completed remote builds in B30348: Diff 70320.Apr 7 2020, 9:53 PM
markj edited the test plan for this revision. (Show Details)Apr 7 2020, 9:55 PM
markj added reviewers: glebius, kib, jah.
jah added inline comments.Apr 8 2020, 3:39 AM
sys/kern/uipc_usrreq.c
791 ↗(On Diff #70320)

Does this need to be done while the unp link lock is held?

markj added inline comments.Apr 8 2020, 2:59 PM
sys/kern/uipc_usrreq.c
791 ↗(On Diff #70320)

Good point. It is sufficient to clear the socket buffer before unlinking the socket.

markj updated this revision to Diff 70341.Apr 8 2020, 3:00 PM

Call sbrelease() before acquiring the global link lock.

Harbormaster completed remote builds in B30365: Diff 70341.Apr 8 2020, 3:00 PM
jah accepted this revision.Apr 9 2020, 7:08 AM
This revision is now accepted and ready to land.Apr 9 2020, 7:08 AM
kib accepted this revision.Apr 10 2020, 1:33 AM
Closed by commit rS359778: Properly handle disconnected sockets in uipc_ready(). (authored by markj). · Explain WhyApr 10 2020, 8:42 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rS359778: Properly handle disconnected sockets in uipc_ready()..
Herald added a subscriber: imp. · View Herald TranscriptApr 10 2020, 8:42 PM

Revision Contents
Changeset List

PathSize
head/
sys/
kern/
79 lines

Diff 70415

View Options

head/sys/kern/uipc_usrreq.c

Loading...