| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20160124.221859.411528121283723172.davem@davemloft.net>
Date: Sun, 24 Jan 2016 22:18:59 -0800 (PST)
From: David Miller <davem@...emloft.net>
To: hannes@...essinduktion.org
Cc: netdev@...r.kernel.org, xeb@...l.ru, sasha.levin@...cle.com,
dvyukov@...gle.com, davej@...emonkey.org.uk
Subject: Re: [PATCH net] pptp: fix illegal memory access caused by multiple
bind()s
From: Hannes Frederic Sowa <hannes@...essinduktion.org>
Date: Fri, 22 Jan 2016 01:39:43 +0100
> Several times already this has been reported as kasan reports caused by
> syzkaller and trinity and people always looked at RCU races, but it is
> much more simple. :)
>
> In case we bind a pptp socket multiple times, we simply add it to
> the callid_sock list but don't remove the old binding. Thus the old
> socket stays in the bucket with unused call_id indexes and doesn't get
> cleaned up. This causes various forms of kasan reports which were hard
> to pinpoint.
>
> Simply don't allow multiple binds and correct error handling in
> pptp_bind. Also keep sk_state bits in place in pptp_connect.
>
> Fixes: 00959ade36acad ("PPTP: PPP over IPv4 (Point-to-Point Tunneling Protocol)")
> Cc: Dmitry Kozlov <xeb@...l.ru>
> Cc: Sasha Levin <sasha.levin@...cle.com>
> Cc: Dmitry Vyukov <dvyukov@...gle.com>
> Reported-by: Dmitry Vyukov <dvyukov@...gle.com>
> Cc: Dave Jones <davej@...emonkey.org.uk>
> Reported-by: Dave Jones <davej@...emonkey.org.uk>
> Signed-off-by: Hannes Frederic Sowa <hannes@...essinduktion.org>
Applied and queued up for -stable, thanks Hannes.
Powered by blists - more mailing lists