lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 30 Jan 2023 18:03:52 +0100
From:   Guillaume Nault <gnault@...hat.com>
To:     Shigeru Yoshida <syoshida@...hat.com>
Cc:     jchapman@...alix.com, davem@...emloft.net, edumazet@...gle.com,
        kuba@...nel.org, pabeni@...hat.com, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] l2tp: Avoid possible recursive deadlock in
 l2tp_tunnel_register()

On Tue, Jan 31, 2023 at 12:44:38AM +0900, Shigeru Yoshida wrote:
> This patch fixes the issue by returning error when a pppol2tp socket
> itself is passed.

Fixes: 0b2c59720e65 ("l2tp: close all race conditions in l2tp_tunnel_register()")

> Signed-off-by: Shigeru Yoshida <syoshida@...hat.com>
> ---
>  net/l2tp/l2tp_ppp.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
> index db2e584c625e..88d1a339500b 100644
> --- a/net/l2tp/l2tp_ppp.c
> +++ b/net/l2tp/l2tp_ppp.c
> @@ -702,11 +702,14 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
>  			struct l2tp_tunnel_cfg tcfg = {
>  				.encap = L2TP_ENCAPTYPE_UDP,
>  			};
> +			int dummy = 0;

There's no need to initialise dummy here. This is just confusing.
We could even do without any extra variable and reuse error in
sockfd_lookup().

>  			/* Prevent l2tp_tunnel_register() from trying to set up
> -			 * a kernel socket.
> +			 * a kernel socket.  Also, prevent l2tp_tunnel_register()
> +			 * from trying to use pppol2tp socket itself.
>  			 */
> -			if (info.fd < 0) {
> +			if (info.fd < 0 ||
> +			    sock == sockfd_lookup(info.fd, &dummy)) {
>  				error = -EBADF;
>  				goto end;
>  			}

That should work, but the real problem is calling l2tp_tunnel_register()
under lock_sock(). We should instead get/create the tunnel before
locking the pppol2tp socket.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ