lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1518188432-9245-1-git-send-email-jchapman@katalix.com>
Date:   Fri,  9 Feb 2018 15:00:16 +0000
From:   James Chapman <jchapman@...alix.com>
To:     netdev@...r.kernel.org
Subject: [PATCH net-next 00/16] l2tp: fix API races discovered by syzbot

This patch series addresses several races with L2TP APIs discovered by
syzbot. While working on this, it became clear that the L2TP code
needed some work to address object lifetime issues. There are no
functional changes.

The set of patches 1-13 in combination fix the following syzbot reports.

9df43faf0 KASAN: use-after-free Read in pppol2tp_connect
6e6a5ec8d general protection fault in pppol2tp_connect
347bd5acd KASAN: use-after-free Read in inet_shutdown
19c09769f WARNING in debug_print_object

In detail:-

 1. Add RCU protection of sk_user_data. Since L2TP hooks on sockets
    opened by userspace, we may race with other socket families that
    attempt to use the same socket. (patches 1-2)

 2. Fix inet_shutdown races when L2TP tunnels close. (patch 3)

 3. Refactor code to address internal object lifetime
    issues. Previously internal refcounts and socket refcounts were
    used inconsistently and led to workarounds to fix specific
    bugs. With the changes made here, we can now fetch the
    tunnel/session context from its socket sk_user_data and fetch the
    socket from the tunnel/session without using other APIs such as
    sockfd_lookup. (patches 4-8)

 4. Refactor pppol2tp_connect to fix several races and split it up to
    improve readability. (patch 9)

 5. Refactor session destroy paths to use a workqueue such that all
    session cleanup is done using common code, regardless of whether
    the session is closed by netlink request or (in the case of ppp)
    its socket closed. (patches 10-13)

 6. Misc cleanups made possible by the refactoring done in this
    series. (patches 14-16)

James Chapman (16):
  l2tp: update sk_user_data while holding sk_callback_lock
  l2tp: add RCU read lock to protect tunnel ptr in ip socket destroy
  l2tp: don't use inet_shutdown on tunnel destroy
  l2tp: refactor tunnel lifetime handling wrt its socket
  l2tp: use tunnel closing flag
  l2tp: refactor session lifetime handling
  l2tp: hide sessions if they are closing
  l2tp: hide session from pppol2tp_sock_to_session if it is closing
  l2tp: refactor pppol2tp_connect
  l2tp: add session_free callback
  l2tp: do session destroy using a workqueue
  l2tp: simplify l2tp_tunnel_closeall
  l2tp: refactor ppp session cleanup paths
  l2tp: remove redundant sk_user_data check when creating tunnels
  l2tp: remove unwanted error message
  l2tp: make __l2tp_session_unhash internal

 net/l2tp/l2tp_core.c | 310 ++++++++++++++++++------------------
 net/l2tp/l2tp_core.h |  37 ++---
 net/l2tp/l2tp_ip.c   |  10 +-
 net/l2tp/l2tp_ip6.c  |   8 +-
 net/l2tp/l2tp_ppp.c  | 434 ++++++++++++++++++++++++++++++---------------------
 5 files changed, 434 insertions(+), 365 deletions(-)

-- 
1.9.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ