From nobody Tue Feb 14 15:14:26 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PGPrL3Wscz3s3qw; Tue, 14 Feb 2023 15:14:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PGPrL2x1rz4Hry; Tue, 14 Feb 2023 15:14:26 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1676387666; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=uVZPBJkDiGW9eqYRgTN6Vnrk6h4wORKuZnAJhvuutF0=; b=QPpEORiHlfWZw2WkjQqmXBDu4Dq0fPvARXDgPQ4NdJupsuQ8RhwuZI5AakN6dwSUoTeGRv fL1F9xYRHxARyVL9PrV0Zqif9ybzmn6dIHdgFAw5BOI5DdSeh7THiOpHbgNOLO/rY2R03R /yPh6AfZ5jOrwL8+/GpSKBcry5MF7T7BB+U2Qn8j4o/5f4rS9ZgPVJi89kZKM+CwelbkWG tdShodyUSJhfBYqrHvgK+Utm8CPMrSU4Jh4WzQi2aKPEJzX4mmJ/z0I39XEKUlW1tV1XX9 +sgkcfiowEMRAdbibMRSmB+jvLxpzQtjBqUogEZzmIzhBfvxlX2Xsp/JrV9tZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1676387666; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=uVZPBJkDiGW9eqYRgTN6Vnrk6h4wORKuZnAJhvuutF0=; b=w0PiZjN/eJnjaKNBeLv57sXy65HWvrqSMOTDuV45c/T3OW3Y38PiNMwzM+ur1Ee4YW6DUs W0VIvQ71+hR0Zbp97nBXaeQQ8MrqF28+SWH0F8uFhkrD8C1Lp5VZ4BqLUAshwqB7FAODsr zgabz8D/kSM1mI3d5yd/mQVKcTvYVWax8aFZk8IsI4mKjktPPGNWjbFz/mhFVFZOp1TTRq xw2F66LxR3ipdOzjsj4s7r1s8ZcBuBGasv65/hN4sdij2nisZoHtOJC7Tan78/JH8xkUOt FnMk4VB8xPKJ/1UVGI8gEdjrDSBqV0Bay4ZVsgeQ3aLCjjx7FEG2/6VWGnf+Cg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1676387666; a=rsa-sha256; cv=none; b=bWfHWRhCbFL+WfoisxDfh52avSeHl3qSjQrahI9iQzHUiOhc00xpo4vuSuOpuCRdEEW52Z RdkM//+nmf38DyhhUG3hFh3y99Tw+gE8zXrt004FE0khnsi48ZOHgj1C+msYnyJx4/5iyF 3en+XS7l4T3hDrSnr9evjWwGX60KSmsyi9mYX79edWioCaPzYfOto2nxf8wBKCoLcOLggw 2n8TXP3Hgeleuec/j+bJR36Fbi88r1mhhAUqLZiJKV0kE3s1ho4KlOd1iT4Gu345ODRzYJ znvkUp5lTGlRTi8ch3Z/X9JEBPy+OYAyUmhwgGMjxjE4iZTrzKah/eMrOxYfKA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PGPrL1zMBz13Lc; Tue, 14 Feb 2023 15:14:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 31EFEQqW015475; Tue, 14 Feb 2023 15:14:26 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 31EFEQan015474; Tue, 14 Feb 2023 15:14:26 GMT (envelope-from git) Date: Tue, 14 Feb 2023 15:14:26 GMT Message-Id: <202302141514.31EFEQan015474@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mark Johnston Subject: git: 636b19ead43a - main - tcp: Disallow re-connection of a connected socket List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 636b19ead43a722d8434776e0bd185bfc97819b6 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=636b19ead43a722d8434776e0bd185bfc97819b6 commit 636b19ead43a722d8434776e0bd185bfc97819b6 Author: Mark Johnston AuthorDate: 2023-02-14 14:27:47 +0000 Commit: Mark Johnston CommitDate: 2023-02-14 15:07:19 +0000 tcp: Disallow re-connection of a connected socket soconnectat() tries to ensure that one cannot connect a connected socket. However, the check is racy and does not really prevent two threads from attempting to connect the same TCP socket. Modify tcp_connect() and tcp6_connect() to perform the check again, this time synchronized by the inpcb lock, under which we call soisconnecting(). Reported by: syzkaller Reviewed by: glebius MFC after: 2 weeks Sponsored by: Klara, Inc. Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D38507 --- sys/kern/uipc_socket.c | 4 ++++ sys/netinet/tcp_usrreq.c | 11 ++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index 9b7f63a81617..1d2b06311c8c 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -1345,10 +1345,14 @@ soconnectat(int fd, struct socket *so, struct sockaddr *nam, struct thread *td) int error; CURVNET_SET(so->so_vnet); + /* * If protocol is connection-based, can only connect once. * Otherwise, if connected, try to disconnect first. This allows * user to disconnect by connecting to, e.g., a null address. + * + * Note, this check is racy and may need to be re-evaluated at the + * protocol layer. */ if (so->so_state & (SS_ISCONNECTED|SS_ISCONNECTING) && ((so->so_proto->pr_flags & PR_CONNREQUIRED) || diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c index 43f2fcfb097a..5c98e969c5ce 100644 --- a/sys/netinet/tcp_usrreq.c +++ b/sys/netinet/tcp_usrreq.c @@ -1401,6 +1401,10 @@ tcp_connect(struct tcpcb *tp, struct sockaddr_in *sin, struct thread *td) NET_EPOCH_ASSERT(); INP_WLOCK_ASSERT(inp); + if (__predict_false((so->so_state & + (SS_ISCONNECTING | SS_ISCONNECTED)) != 0)) + return (EISCONN); + INP_HASH_WLOCK(&V_tcbinfo); error = in_pcbconnect(inp, sin, td->td_ucred, true); INP_HASH_WUNLOCK(&V_tcbinfo); @@ -1433,11 +1437,16 @@ static int tcp6_connect(struct tcpcb *tp, struct sockaddr_in6 *sin6, struct thread *td) { struct inpcb *inp = tptoinpcb(tp); + struct socket *so = tptosocket(tp); int error; NET_EPOCH_ASSERT(); INP_WLOCK_ASSERT(inp); + if (__predict_false((so->so_state & + (SS_ISCONNECTING | SS_ISCONNECTED)) != 0)) + return (EISCONN); + INP_HASH_WLOCK(&V_tcbinfo); error = in6_pcbconnect(inp, sin6, td->td_ucred, true); INP_HASH_WUNLOCK(&V_tcbinfo); @@ -1449,7 +1458,7 @@ tcp6_connect(struct tcpcb *tp, struct sockaddr_in6 *sin6, struct thread *td) (TCP_MAXWIN << tp->request_r_scale) < sb_max) tp->request_r_scale++; - soisconnecting(inp->inp_socket); + soisconnecting(so); TCPSTAT_INC(tcps_connattempt); tcp_state_change(tp, TCPS_SYN_SENT); tp->iss = tcp_new_isn(&inp->inp_inc);