Commit ded34e0f authored Mar 25, 2013 by Paul Moore Committed by David S. Miller Mar 25, 2013

unix: fix a race condition in unix_release()



As reported by Jan, and others over the past few years, there is a
race condition caused by unix_release setting the sock->sk pointer
to NULL before properly marking the socket as dead/orphaned.  This
can cause a problem with the LSM hook security_unix_may_send() if
there is another socket attempting to write to this partially
released socket in between when sock->sk is set to NULL and it is
marked as dead/orphaned.  This patch fixes this by only setting
sock->sk to NULL after the socket has been marked as dead; I also
take the opportunity to make unix_release_sock() a void function
as it only ever returned 0/success.

Dave, I think this one should go on the -stable pile.

Special thanks to Jan for coming up with a reproducer for this
problem.

Reported-by: Jan Stancek <jan.stancek@gmail.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 7ebe183c

net/unix/af_unix.c

+3 −4

Original line number	Diff line number	Diff line
		@@ -382,7 +382,7 @@ static void unix_sock_destructor(struct sock *sk)
		#endif
		}

		static int unix_release_sock(struct sock *sk, int embrion)
		static void unix_release_sock(struct sock *sk, int embrion)
		{
		struct unix_sock *u = unix_sk(sk);
		struct path path;
		@@ -451,8 +451,6 @@ static int unix_release_sock(struct sock *sk, int embrion)

		if (unix_tot_inflight)
		unix_gc(); /* Garbage collect fds */

		return 0;
		}

		static void init_peercred(struct sock *sk)
		@@ -699,9 +697,10 @@ static int unix_release(struct socket *sock)
		if (!sk)
		return 0;

		unix_release_sock(sk, 0);
		sock->sk = NULL;

		return unix_release_sock(sk, 0);
		return 0;
		}

		static int unix_autobind(struct socket *sock)

Admin message