lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <fbb33606-b817-356f-acaa-81aab44327cb@google.com>
Date:   Thu, 22 Mar 2018 17:55:30 -0700
From:   Daniel Rosenberg <drosen@...gle.com>
To:     netdev@...r.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        stable@...r.kernel.org
Subject: l2tp stable request

f3c66d4e144a0904ea9b95d23ed9f8eb38c11bfb        l2tp: prevent creation 
of sessions on terminated tunnels
9ee369a405c57613d7c83a3967780c3e30c52ecc        l2tp: initialise 
session's refcount before making it reachable
dbdbc73b44782e22b3b4b6e8b51e7a3d245f3086        l2tp: fix duplicate 
session creation
61b9a047729bb230978178bca6729689d0c50ca2        l2tp: fix race in 
l2tp_recv_common()

For v3.18+. It requires some minor backporting.

Without these, I'm seeing a null pointer in l2tp_session_create. These 
logs are from a 3.18 kernel, although I was able to hit it on a 4.4 
kernel I tested as well.

[  376.388847] c1  11731 Unable to handle kernel NULL pointer 
dereference at virtual address 0000006c
[  376.388892] c1  11731 pgd = ffffffc093138000
[  376.388908] [0000006c] *pgd=000000010add3003, *pud=000000010add3003, 
*pmd=0000000000000000
[  376.388955] c1  11731 Internal error: Oops: 96000006 [#1] PREEMPT SMP
[  376.388987] c1  11731 CPU: 1 PID: 11731 Comm: 0 Tainted: G    B   W   
    3.18.31-g3021f2f-00001-gea07e56-dirty #35
[  376.389005] c1  11731 Hardware name: HTC Corporation. MSM8996pro v1.1 
+ PMI8996 Marlin A (DT)
[  376.389024] c1  11731 task: ffffffc09f582880 ti: ffffffc089ea4000 
task.ti: ffffffc089ea4000
[  376.389062] c1  11731 PC is at l2tp_session_create+0x39c/0x5b8
[  376.389081] c1  11731 LR is at l2tp_session_create+0x394/0x5b8
[  376.389097] c1  11731 pc : [<ffffffc00127bbd4>] lr : 
[<ffffffc00127bbcc>] pstate: 20000145
[  376.389112] c1  11731 sp : ffffffc089ea7ca0
[  376.389127] x29: ffffffc089ea7ca0 x28: ffffffc03982fbf8
[  376.389154] x27: 0000000000000000 x26: ffffffc03982fca0
[  376.389180] x25: ffffffc099190ea8 x24: ffffffc03982fca8
[  376.389205] x23: ffffffc03982fbf0 x22: 0000000000000000
[  376.389230] x21: ffffffc03982fc98 x20: ffffffc099190e00
[  376.389254] x19: ffffffc03982fb80 x18: ffffffc001bd00e0
[  376.389277] x17: 0000000033293c44 x16: 000000006e1d9948
[  376.389301] x15: 0000000000000000 x14: 000000000000000a
[  376.389324] x13: ffffffc0b982fc03 x12: 0000000000000000
[  376.389347] x11: 0000000000000000 x10: ffffffc03982fc0d
[  376.389370] x9 : 00000000fffffffb x8 : ffffff8807305fb0
[  376.389393] x7 : fcfcfcfcfcfcfcfc x6 : ffffffc03982fba4
[  376.389415] x5 : 000000000000ffff x4 : ffffffc0019480db
[  376.389438] x3 : 1ffffff8132321e9 x2 : dfffff9000000000
[  376.389461] x1 : 0000000000000000 x0 : 000000000000006c
[  376.389486] c1  11731
[  376.389486] c1  11731 PC: 0xffffffc00127bad4:
[  376.389504] bad4  7900627b 91004b00 97bd0420 7940271b 9100d260 
97bd043a 79006a7b 91004300
[  376.389574] baf4  97bd041a 7940231b 9100ca60 97bd0434 7900667b 
91007300 97bd044e b9401f1b
[  376.389641] bb14  91008260 97bd0469 b900227b 91005301 91006260 
b9801f02 97bd05c4 9100a300
[  376.389708] bb34  97bd0444 b9402b1b 9100b260 97bd045f b9002e7b 
91008301 91009260 b9802b02
[  376.389777] bb54  97bd05ba 97baedb0 9104a278 aa1903e0 97bd0438 
b940aa80 7100081f 540009c1
[  376.389843] bb74  97baeda9 aa1803e0 97bd048b 90ffffe0 91383000 
f9009660 97baeda3 b940aa81
[  376.389910] bb94  aa1303e0 97fffb38 91020262 885f7c40 11000400 
88017c40 35ffffa1 9104a282
[  376.389976] bbb4  885f7c40 11000400 88017c40 35ffffa1 91052280 
97bd045b f940a680 9101b000
[  376.390042] bbd4  885f7c01 11000421 88027c01 35ffffa2 9100629b 
aa1b03e0 94028720 52800020
[  376.390107] bbf4  72b3c6e0 1b007ec0 b9006ba0 f94037a0 d35c7c16 
910012c0 8b160e96 f90033a0
[  376.390174] bc14  8b000e80 97bd0447 f94012d8 aa1703e0 97bd0461 
f9003a78 b40000b8 97baed7a
[  376.390240] bc34  91002300 97bd045c f9000717 97baed76 f90012d7 
aa1c03e0 97bd0457 f94033a0
[  376.390306] bc54  8b000e80 f9003e60 aa1b03e0 94028827 aa1903e0 
97bd03f7 b940aa80 7100081f
[  376.390372] bc74  54000920 97baed68 91048280 97bd042d f9409296 
b50001d6 97baed63 e7f001f2
[  376.390439] bc94  97baed61 aa1503e0 97bd0408 12bfe000 17ffff16 
97baed5c aa1803e0 97bd043e
[  376.390508] bcb4  b0ffffe0 910f2000 17ffffb3 97baed56 d00065e0 
b943a814 97ba0a9c 9134a2c0
[  376.390576] c1  11731
[  376.390576] c1  11731 LR: 0xffffffc00127bacc:
[  376.390594] bacc  9100c260 97bd0440 7900627b 91004b00 97bd0420 
7940271b 9100d260 97bd043a
[  376.390662] baec  79006a7b 91004300 97bd041a 7940231b 9100ca60 
97bd0434 7900667b 91007300
[  376.390728] bb0c  97bd044e b9401f1b 91008260 97bd0469 b900227b 
91005301 91006260 b9801f02
[  376.390795] bb2c  97bd05c4 9100a300 97bd0444 b9402b1b 9100b260 
97bd045f b9002e7b 91008301
[  376.390862] bb4c  91009260 b9802b02 97bd05ba 97baedb0 9104a278 
aa1903e0 97bd0438 b940aa80
[  376.390929] bb6c  7100081f 540009c1 97baeda9 aa1803e0 97bd048b 
90ffffe0 91383000 f9009660
[  376.390995] bb8c  97baeda3 b940aa81 aa1303e0 97fffb38 91020262 
885f7c40 11000400 88017c40
[  376.391061] bbac  35ffffa1 9104a282 885f7c40 11000400 88017c40 
35ffffa1 91052280 97bd045b
[  376.391128] bbcc  f940a680 9101b000 885f7c01 11000421 88027c01 
35ffffa2 9100629b aa1b03e0
[  376.391195] bbec  94028720 52800020 72b3c6e0 1b007ec0 b9006ba0 
f94037a0 d35c7c16 910012c0
[  376.391262] bc0c  8b160e96 f90033a0 8b000e80 97bd0447 f94012d8 
aa1703e0 97bd0461 f9003a78
[  376.391328] bc2c  b40000b8 97baed7a 91002300 97bd045c f9000717 
97baed76 f90012d7 aa1c03e0
[  376.391394] bc4c  97bd0457 f94033a0 8b000e80 f9003e60 aa1b03e0 
94028827 aa1903e0 97bd03f7
[  376.391461] bc6c  b940aa80 7100081f 54000920 97baed68 91048280 
97bd042d f9409296 b50001d6
[  376.391528] bc8c  97baed63 e7f001f2 97baed61 aa1503e0 97bd0408 
12bfe000 17ffff16 97baed5c
[  376.391594] bcac  aa1803e0 97bd043e b0ffffe0 910f2000 17ffffb3 
97baed56 d00065e0 b943a814
[  376.391663] c1  11731
[  376.391663] c1  11731 SP: 0xffffffc089ea7ba0:
[  376.391680] 7ba0  019480db ffffffc0 0000ffff 00000000 3982fba4 
ffffffc0 fcfcfcfc fcfcfcfc
[  376.391747] 7bc0  07305fb0 ffffff88 fffffffb 00000000 3982fc0d 
ffffffc0 00000000 00000000
[  376.391814] 7be0  00000000 00000000 b982fc03 ffffffc0 0000000a 
00000000 00000000 00000000
[  376.391880] 7c00  6e1d9948 00000000 33293c44 00000000 01bd00e0 
ffffffc0 3982fb80 ffffffc0
[  376.391947] 7c20  99190e00 ffffffc0 3982fc98 ffffffc0 00000000 
00000000 3982fbf0 ffffffc0
[  376.392013] 7c40  3982fca8 ffffffc0 99190ea8 ffffffc0 3982fca0 
ffffffc0 00000000 00000000
[  376.392078] 7c60  3982fbf8 ffffffc0 89ea7ca0 ffffffc0 0127bbcc 
ffffffc0 89ea7ca0 ffffffc0
[  376.392144] 7c80  0127bbd4 ffffffc0 20000145 00000000 3982fc98 
ffffffc0 00000000 00000000
[  376.392212] 7ca0  89ea7d10 ffffffc0 0127dc2c ffffffc0 4261c200 
ffffffc0 00000000 00000000
[  376.392278] 7cc0  00000000 00000000 00000000 00000000 00000004 
00000000 fffffff4 00000000
[  376.392344] 7ce0  4261c230 ffffffc0 00000004 00000000 00000002 
00000000 4261c212 ffffffc0
[  376.392410] 7d00  89ea7d10 ffffffc0 00000000 ffffffc0 89ea7e00 
ffffffc0 00ffd790 ffffffc0
[  376.392478] 7d20  2aff8400 ffffffc0 00000026 00000000 3cf07980 
ffffffc0 01bd0000 ffffffc0
[  376.392544] 7d40  0127d9cc ffffffc0 00000015 00000000 00000119 
00000000 000000cb 00000000
[  376.392611] 7d60  01326000 ffffffc0 89ea4000 ffffffc0 01bd0000 
ffffffc0 4261c448 ffffffc0
[  376.392680] 7d80  00000003 00000000 99190e00 ffffffc0 ffffffff 
ffffffff 000cfb30 ffffffc0
[  376.392747] c1  11731
[  376.392765] c1  11731 Process 0 (pid: 11731, stack limit = 
0xffffffc089ea4058)
[  376.392784] c1  11731 Context switch saved 
registers(0xffffffc09f582ec0 to 0xffffffc09f582f28)
[  376.392804] c1  11731 2ec0: a5f51b00 ffffffc0 9f582880 ffffffc0 
89ea4000 ffffffc0 23966c00 ffffffc0
[  376.392824] c1  11731 2ee0: 7345e780 ffffffc0 01c20000 ffffffc0 
89ea7ac0 ffffffc0 019fe400 ffffffc0
[  376.392842] c1  11731 2f00: 019fe400 ffffffc0 a5f51b00 ffffffc0 
89ea7aa0 ffffffc0 89ea7aa0 ffffffc0
[  376.392857] c1  11731 2f20: 00087574 ffffffc0
[  376.392870] c1  11731 Call trace:
[  376.392904] c1  11731 [<ffffffc00127bbd4>] 
l2tp_session_create+0x39c/0x5b8
[  376.392923] c1  11731 [<ffffffc00127dc2c>] pppol2tp_connect+0x260/0x698
[  376.392952] c1  11731 [<ffffffc000ffd790>] SyS_connect+0xcc/0x144
[  376.392971] c1  11731 Code: 91052280 97bd045b f940a680 9101b000 
(885f7c01)
[  376.402888] c1  11731 ---[ end trace 7e40566c5e647ab7 ]---
[  376.446227] c1  11731 Kernel panic - not syncing: Fatal exception

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ