lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 13 Aug 2018 08:49:02 -0700 (PDT)
From:   David Miller <davem@...emloft.net>
To:     weiwan@...gle.com
Cc:     netdev@...r.kernel.org, kafai@...com, g.nault@...halink.fr,
        dsahern@...il.com, xiyou.wangcong@...il.com
Subject: Re: [PATCH net v2] l2tp: use sk_dst_check() to avoid race on
 sk->sk_dst_cache

From: Wei Wang <weiwan@...gle.com>
Date: Fri, 10 Aug 2018 11:14:56 -0700

> From: Wei Wang <weiwan@...gle.com>
> 
> In l2tp code, if it is a L2TP_UDP_ENCAP tunnel, tunnel->sk points to a
> UDP socket. User could call sendmsg() on both this tunnel and the UDP
> socket itself concurrently. As l2tp_xmit_skb() holds socket lock and call
> __sk_dst_check() to refresh sk->sk_dst_cache, while udpv6_sendmsg() is
> lockless and call sk_dst_check() to refresh sk->sk_dst_cache, there
> could be a race and cause the dst cache to be freed multiple times.
> So we fix l2tp side code to always call sk_dst_check() to garantee
> xchg() is called when refreshing sk->sk_dst_cache to avoid race
> conditions.
> 
> Syzkaller reported stack trace:
 ...
> 
> Fixes: 71b1391a4128 ("l2tp: ensure sk->dst is still valid")
> Reported-by: syzbot+05f840f3b04f211bad55@...kaller.appspotmail.com
> Signed-off-by: Wei Wang <weiwan@...gle.com>
> Signed-off-by: Martin KaFai Lau <kafai@...com>
 ...
> ---
> v1->v2: Removed dst_clone() as Guillaume Nault suggested

Applied and queued up for -stable, thank you.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ