lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1520844798.2585.13.camel@redhat.com>
Date:   Mon, 12 Mar 2018 09:53:18 +0100
From:   Paolo Abeni <pabeni@...hat.com>
To:     Guillaume Nault <g.nault@...halink.fr>
Cc:     netdev@...r.kernel.org, "David S. Miller" <davem@...emloft.net>,
        James Chapman <jchapman@...alix.com>,
        Wei Wang <weiwan@...gle.com>, David Ahern <dsahern@...il.com>
Subject: Re: [PATCH net v2 2/2] l2tp: fix races with ipv4-mapped ipv6
 addresses

On Fri, 2018-03-09 at 19:26 +0100, Guillaume Nault wrote:
> On Fri, Mar 09, 2018 at 06:58:00PM +0100, Paolo Abeni wrote:
> > The single threaded reproducer does not trigger anymore after 1/2,
> > _but_ if ask syzbot to test 1/2 that will trigger another splat,
> > because syzbot will do also multi threaded tests and we will hit the
> > race between connect(tunnel->fd) and l2tp_tunnel_create(),
> > 
> 
> Ok, and this case is handled by the sk_state test in l2tp_xmit_skb(),
> right?

We need both such test and checking for v4mapped address in
l2tp_xmit_skb()

> I just want to be sure that I didn't miss anything and that patch 1/2
> combined with the socket state check in l2tp_xmit_skb() are enough to
> fix the bug. And that overriding ->inet_*addr can be removed entirely
> (and safely!).

I tested the above in vs the repro and in some real use case, but any
additinal pair of eyes are welcome!

I'll send v3 soon.

Cheers,

Paolo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ