| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202510230900.5754A094@keescook>
Date: Thu, 23 Oct 2025 09:01:28 -0700
From: Kees Cook <kees@...nel.org>
To: Paolo Abeni <pabeni@...hat.com>
Cc: Jakub Kicinski <kuba@...nel.org>,
"Gustavo A. R. Silva" <gustavo@...eddedor.com>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
John Fastabend <john.fastabend@...il.com>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>, Simon Horman <horms@...nel.org>,
Kuniyuki Iwashima <kuniyu@...gle.com>,
Willem de Bruijn <willemb@...gle.com>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, bpf@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH v3 2/9] net/l2tp: Add missing sa_family validation in
pppol2tp_sockaddr_get_info
On Thu, Oct 23, 2025 at 12:47:32PM +0200, Paolo Abeni wrote:
> On 10/20/25 11:26 PM, Kees Cook wrote:
> > While reviewing the struct proto_ops connect() and bind() callback
> > implementations, I noticed that there doesn't appear to be any
> > validation that AF_PPPOX sockaddr structures actually have sa_family set
> > to AF_PPPOX. The pppol2tp_sockaddr_get_info() checks only look at the
> > sizes.
> >
> > I don't see any way that this might actually cause problems as specific
> > info fields are being populated, for which the existing size checks are
> > correct, but it stood out as a missing address family check.
> >
> > Add the check and return -EAFNOSUPPORT on mismatch.
> >
> > Signed-off-by: Kees Cook <kees@...nel.org>
> > ---
> > net/l2tp/l2tp_ppp.c | 7 +++++++
> > 1 file changed, 7 insertions(+)
> >
> > diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
> > index 5e12e7ce17d8..b7a9c224520f 100644
> > --- a/net/l2tp/l2tp_ppp.c
> > +++ b/net/l2tp/l2tp_ppp.c
> > @@ -535,6 +535,13 @@ struct l2tp_connect_info {
> > static int pppol2tp_sockaddr_get_info(const void *sa, int sa_len,
> > struct l2tp_connect_info *info)
> > {
> > + const struct sockaddr_unspec *sockaddr = sa;
> > +
> > + if (sa_len < offsetofend(struct sockaddr, sa_family))
> > + return -EINVAL;
> > + if (sockaddr->sa_family != AF_PPPOX)
> > + return -EAFNOSUPPORT;
>
> I fear we can't introduce this check, as it could break existing
> user-space application currently passing random data into sa_family but
> still able to connect successfully.
Isn't sa_family kind of the critical determining factor on how the
network stack decides to handle sockaddr stuff? I'll drop it for now,
I guess, but that's surprising to me.
-Kees
--
Kees Cook
Powered by blists - more mailing lists