| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Nov 2018 16:33:32 +0100
From: Guillaume Nault <g.nault@...halink.fr>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org,
"David S. Miller" <davem@...emloft.net>,
Sasha Levin <sashal@...nel.org>
Subject: Re: [PATCH 4.4 063/114] l2tp: hold socket before dropping lock in
l2tp_ip{, 6}_recv()
On Thu, Nov 08, 2018 at 01:51:18PM -0800, Greg Kroah-Hartman wrote:
> 4.4-stable review patch. If anyone has any objections, please let me know.
>
This patch was partly wrong. Here is the followup fix:
94d7ee0baa8b ("l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6")
Both a3c18422a4 ("l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()")
and 94d7ee0baa8b ("l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6")
should be applied/backported together.
> ------------------
>
> [ Upstream commit a3c18422a4b4e108bcf6a2328f48867e1003fd95 ]
>
> Socket must be held while under the protection of the l2tp lock; there
> is no guarantee that sk remains valid after the read_unlock_bh() call.
>
> Same issue for l2tp_ip and l2tp_ip6.
>
> Signed-off-by: Guillaume Nault <g.nault@...halink.fr>
> Signed-off-by: David S. Miller <davem@...emloft.net>
> Signed-off-by: Sasha Levin <sashal@...nel.org>
> ---
> net/l2tp/l2tp_ip.c | 11 ++++++-----
> net/l2tp/l2tp_ip6.c | 11 ++++++-----
> 2 files changed, 12 insertions(+), 10 deletions(-)
>
> diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
> index 48ab93842322..c7e6098c924e 100644
> --- a/net/l2tp/l2tp_ip.c
> +++ b/net/l2tp/l2tp_ip.c
> @@ -184,14 +184,15 @@ pass_up:
>
> read_lock_bh(&l2tp_ip_lock);
> sk = __l2tp_ip_bind_lookup(net, iph->daddr, 0, tunnel_id);
> + if (!sk) {
> + read_unlock_bh(&l2tp_ip_lock);
> + goto discard;
> + }
> +
> + sock_hold(sk);
sock_hold(sk) is missing in the 'if' branch of this condition.
> read_unlock_bh(&l2tp_ip_lock);
> }
>
> - if (sk == NULL)
> - goto discard;
> -
> - sock_hold(sk);
> -
Original sock_hold(sk) covered both parts of the condition.
> if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
> goto discard_put;
>
> diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
> index bcdab1cba773..5fe0a6f6af3d 100644
> --- a/net/l2tp/l2tp_ip6.c
> +++ b/net/l2tp/l2tp_ip6.c
> @@ -196,14 +196,15 @@ pass_up:
> read_lock_bh(&l2tp_ip6_lock);
> sk = __l2tp_ip6_bind_lookup(&init_net, &iph->daddr,
> 0, tunnel_id);
> + if (!sk) {
> + read_unlock_bh(&l2tp_ip6_lock);
> + goto discard;
> + }
> +
> + sock_hold(sk);
Same here.
> read_unlock_bh(&l2tp_ip6_lock);
> }
>
> - if (sk == NULL)
> - goto discard;
> -
> - sock_hold(sk);
> -
> if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
> goto discard_put;
>
> --
> 2.17.1
>
Powered by blists - more mailing lists