| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Jan 2013 16:03:31 -0500 (EST) From: David Miller <davem@...emloft.net> To: tparkin@...alix.com Cc: netdev@...r.kernel.org, celston@...alix.com, jchapman@...alix.com Subject: Re: [PATCH] l2tp: prevent l2tp_tunnel_delete racing with userspace close From: Tom Parkin <tparkin@...alix.com> Date: Tue, 22 Jan 2013 15:13:48 +0000 > If a tunnel socket is created by userspace, l2tp hooks the socket destructor > in order to clean up resources if userspace closes the socket or crashes. It > also caches a pointer to the struct sock for use in the data path and in the > netlink interface. > > While it is safe to use the cached sock pointer in the data path, where the > skb references keep the socket alive, it is not safe to use it elsewhere as > such access introduces a race with userspace closing the socket. In > particular, l2tp_tunnel_delete is prone to oopsing if a multithreaded > userspace application closes a socket at the same time as sending a netlink > delete command for the tunnel. > > This patch fixes this oops by forcing l2tp_tunnel_delete to explicitly look up > a tunnel socket held by userspace using sockfd_lookup(). > > Signed-off-by: Tom Parkin <tparkin@...alix.com> > Signed-off-by: James Chapman <jchapman@...alix.com> Applied. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists