lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Sat, 01 Apr 2017 20:17:07 -0700 (PDT)
From:   David Miller <davem@...emloft.net>
To:     g.nault@...halink.fr
Cc:     netdev@...r.kernel.org, jchapman@...alix.com, bhong@...cade.com
Subject: Re: [PATCH net 0/5] l2tp: fix usage of l2tp_session_find()

From: Guillaume Nault <g.nault@...halink.fr>
Date: Fri, 31 Mar 2017 13:02:23 +0200

> l2tp_session_find() doesn't take a reference on the session returned to
> its caller. Virtually all l2tp_session_find() users are racy, either
> because the session can disappear from under them or because they take
> a reference too late. This leads to bugs like 'use after free' or
> failure to notice duplicate session creations.
> 
> In some cases, taking a reference on the session is not enough. The
> special callbacks .ref() and .deref() also have to be called in cases
> where the PPP pseudo-wire uses the socket associated with the session.
> Therefore, when looking up a session, we also have to pass a flag
> indicating if the .ref() callback has to be called.
> 
> In the future, we probably could drop the .ref() and .deref() callbacks
> entirely by protecting the .sock field of struct pppol2tp_session with
> RCU, thus allowing it to be freed and set to NULL even if the L2TP
> session is still alive.

Series applied with the Fixes: tag of patch #5 updated.

Thanks.

Powered by blists - more mailing lists