lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 01 Apr 2017 20:17:07 -0700 (PDT) From: David Miller <davem@...emloft.net> To: g.nault@...halink.fr Cc: netdev@...r.kernel.org, jchapman@...alix.com, bhong@...cade.com Subject: Re: [PATCH net 0/5] l2tp: fix usage of l2tp_session_find() From: Guillaume Nault <g.nault@...halink.fr> Date: Fri, 31 Mar 2017 13:02:23 +0200 > l2tp_session_find() doesn't take a reference on the session returned to > its caller. Virtually all l2tp_session_find() users are racy, either > because the session can disappear from under them or because they take > a reference too late. This leads to bugs like 'use after free' or > failure to notice duplicate session creations. > > In some cases, taking a reference on the session is not enough. The > special callbacks .ref() and .deref() also have to be called in cases > where the PPP pseudo-wire uses the socket associated with the session. > Therefore, when looking up a session, we also have to pass a flag > indicating if the .ref() callback has to be called. > > In the future, we probably could drop the .ref() and .deref() callbacks > entirely by protecting the .sock field of struct pppol2tp_session with > RCU, thus allowing it to be freed and set to NULL even if the L2TP > session is still alive. Series applied with the Fixes: tag of patch #5 updated. Thanks.
Powered by blists - more mailing lists