lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20180805112157.64rx4btyuwvxlzwb@kdev>
Date:   Sun, 5 Aug 2018 13:24:13 +0200
From:   Guillaume Nault <g.nault@...halink.fr>
To:     David Miller <davem@...emloft.net>
Cc:     netdev@...r.kernel.org, jchapman@...alix.com
Subject: Re: [PATCH net] l2tp: fix missing refcount drop in
 pppol2tp_tunnel_ioctl()

On Fri, Aug 03, 2018 at 12:42:22PM -0700, David Miller wrote:
> From: Guillaume Nault <g.nault@...halink.fr>
> Date: Fri, 3 Aug 2018 17:00:11 +0200
> 
> > If 'session' is not NULL and is not a PPP pseudo-wire, then we fail to
> > drop the reference taken by l2tp_session_get().
> > 
> > Fixes: ecd012e45ab5 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()")
> > Signed-off-by: Guillaume Nault <g.nault@...halink.fr>
> > ---
> > Sorry for the stupid mistake. I guess I got blinded by the apparent
> > simplicity of the bug when I wrote the original patch.
> 
> Applied, thanks.
> 
> I'm pretty sure I backported the commit this fixes, so I'm queueing
> this up for -stable as well.
> 
Well, I think it wasn't. I didn't receive any notification from the
stable team about it and I don't see it in Greg's stable queue nor
in any -stable tree.

Also, we'd have to queue 90904ff5f958 ("l2tp: fix pseudo-wire type for
sessions created by pppol2tp_connect()") first, which is necessary for
properly identifying PPP sessions.

To recapitulate, three patches are needed to fix the original bug:

  * 90904ff5f958 ("l2tp: fix pseudo-wire type for sessions created by
    pppol2tp_connect()"): allows later patches to check if a session is
    PPP.

  * ecd012e45ab5 ("l2tp: filter out non-PPP sessions in
    pppol2tp_tunnel_ioctl()"): refuses calling pppol2tp_session_ioctl()
    on non-PPP sessions. This fixes an invalid pointer dereference when
    the session is Ethernet. Unfortunately it fails to drop the
    reference it takes on the session.

  * f664e37dcc52 ("l2tp: fix missing refcount drop in
    pppol2tp_tunnel_ioctl()"): fixes the memory leak introduced by the
    previous patch.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ