lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20241106180706.330326-1-jchapman@katalix.com>
Date: Wed,  6 Nov 2024 18:07:06 +0000
From: James Chapman <jchapman@...alix.com>
To: syzbot+332fe1e67018625f63c9@...kaller.appspotmail.com
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: test fix for WARN_ON in l2tp_exit_net

Resend to include the patch inline.

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git ccb35037c48a

>From fa6758c4ac6439c3ef4bedf6c0abfbf3ee17d36e Mon Sep 17 00:00:00 2001
From: James Chapman <jchapman@...alix.com>
Date: Wed, 6 Nov 2024 16:04:44 +0000
Subject: [PATCH] l2tp: fix warning in l2tp_exit_net found by syzbot

l2tp uses idr_is_empty to check that its IDRs are empty in its net
exit handler before calling idr_destroy and warns if the IDR isn't
empty. syzbot is able to hit this warning by injecting a memory
allocation fail inside idr_alloc_u32 (radix_tree_node_alloc). However,
this leaves the IDR root with its IDR_FREE tag unset such that the IDR
appears non-empty to idr_is_empty callers.

Fix this in l2tp by checking that the IDR is empty using idr_for_each
instead of idr_is_empty.

Reported-by: syzbot+332fe1e67018625f63c9@...kaller.appspotmail.com
Fixes: 73d33bd063c4c ("l2tp: avoid using drain_workqueue in l2tp_pre_exit_net")

---
 net/l2tp/l2tp_core.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 3eec23ac5ab1..a665bdf3f9c6 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1870,15 +1870,26 @@ static __net_exit void l2tp_pre_exit_net(struct net *net)
 	}
 }
 
+static int l2tp_idr_item_unexpected(int id, void *p, void *data)
+{
+	const char *idr_name = data;
+	pr_err("IDR %s not empty\n", idr_name);
+	WARN_ON_ONCE(1);
+	return 1;
+}
+
 static __net_exit void l2tp_exit_net(struct net *net)
 {
 	struct l2tp_net *pn = l2tp_pernet(net);
 
-	WARN_ON_ONCE(!idr_is_empty(&pn->l2tp_v2_session_idr));
+	rcu_read_lock_bh();
+	idr_for_each(&pn->l2tp_v2_session_idr, l2tp_idr_item_unexpected, "v2_session");
+	idr_for_each(&pn->l2tp_v3_session_idr, l2tp_idr_item_unexpected, "v3_session");
+	idr_for_each(&pn->l2tp_tunnel_idr, l2tp_idr_item_unexpected, "tunnel");
+	rcu_read_unlock_bh();
+
 	idr_destroy(&pn->l2tp_v2_session_idr);
-	WARN_ON_ONCE(!idr_is_empty(&pn->l2tp_v3_session_idr));
 	idr_destroy(&pn->l2tp_v3_session_idr);
-	WARN_ON_ONCE(!idr_is_empty(&pn->l2tp_tunnel_idr));
 	idr_destroy(&pn->l2tp_tunnel_idr);
 }
 
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ