| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Dec 2012 15:51:05 +0000
From: Tom Parkin <tparkin@...alix.com>
To: ebiederm@...ssion.com
Cc: netdev@...r.kernel.org
Subject: Network namespace bugs in L2TP
Hi Eric,
I'm following up on this thread from later October in which you
pointed out some network namespace bugs in L2TP:
http://www.spinics.net/lists/netdev/msg214776.html
I use L2TP, and I'd like to help fix these bugs. But I'm not very
conversant with network namespaces, and so I'm struggling to fully
appreciate the issues you pointed out previously. Could you give me a
hand getting to grips with this?
So far I've tested L2TP within network namespaces, using both iproute2
to create sessions between two namespaces on the same host, and an
L2TP daemon running in a namespace to create sessions between two
hosts. In both cases I've done a bit of trivial ping and iperf
testing using Ethernet pseudowires.
To make this work I've had to add a couple of trivial patches (see
below).
There are two things I'm uncertain about:
1. Why do we need to change the namespace of the socket created in
l2tp_tunnel_sock_create? So far as I can tell, sock_create
defaults to the namespace of the calling process. Is the issue
here that this code may run from a work queue or similar?
2. You mentioned the need to keep track of sockets allocated within a
namespace in order to be able to clean them up when the namespace
is deleted. Should we be keeping a list of sockets we create and
then destroying them in the namespace pernet_ops exit function?
Thanks,
Tom
From b9c095fdf32c895b79a5954020c4745fe5518141 Mon Sep 17 00:00:00 2001
From: Tom Parkin <tparkin@...alix.com>
Date: Tue, 11 Dec 2012 13:03:48 +0000
Subject: [PATCH 1/2] l2tp: set netnsok flag for netlink messages
The L2TP netlink code can run in namespaces. Set the netnsok flag in
genl_family to true to reflect that fact.
---
net/l2tp/l2tp_netlink.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
index bbba3a1..c1bab22 100644
--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -37,6 +37,7 @@ static struct genl_family l2tp_nl_family = {
.version = L2TP_GENL_VERSION,
.hdrsize = 0,
.maxattr = L2TP_ATTR_MAX,
+ .netnsok = true,
};
/* Accessed under genl lock */
--
1.7.9.5
From 13e9b0ddc48a16b384ffbf5ff64e6413cfa612f5 Mon Sep 17 00:00:00 2001
From: Tom Parkin <tparkin@...alix.com>
Date: Wed, 12 Dec 2012 12:50:54 +0000
Subject: [PATCH 2/2] l2tp: prevent tunnel creation on netns mismatch
l2tp_tunnel_create is passed a pointer to the network namespace for the
tunnel, along with an optional file descriptor for the tunnel which may
be passed in from userspace via. netlink.
In the case where the file descriptor is defined, ensure that the namespace
associated with that socket matches the namespace explicitly passed to
l2tp_tunnel_create.
---
net/l2tp/l2tp_core.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 1a9f372..f8d200b 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1528,6 +1528,13 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
tunnel_id, fd, err);
goto err;
}
+
+ /* Reject namespace mismatches */
+ if (!net_eq(sock_net(sock->sk), net)) {
+ pr_err("tunl %hu: netns mismatch\n", tunnel_id);
+ err = -EBADF; /* TODO -- what value? */
+ goto err;
+ }
}
sk = sock->sk;
--
1.7.9.5
--
Tom Parkin
Katalix Systems Ltd
http://www.katalix.com
Catalysts for your Embedded Linux software development
Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)
Powered by blists - more mailing lists