| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250527134625.15216-1-antonio@openvpn.net>
Date: Tue, 27 May 2025 15:46:16 +0200
From: Antonio Quartulli <antonio@...nvpn.net>
To: netdev@...r.kernel.org
Cc: Antonio Quartulli <antonio@...nvpn.net>,
Sabrina Dubroca <sd@...asysnail.net>,
"David S . Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>
Subject: [PATCH net-next 0/4] pull request: fixes for ovpn 2025-05-27
Hi netdev-team,
I am targetting net-next because ovpn has been merged to net yet.
In this batch you can find two major bugfixes:
Patch 1: when releasing a UDP socket we were wrongly invoking
setup_udp_tunnel_sock() with an empty config. This was not
properly shutting down the UDP encap state.
This patch fixes this misbehaviour by implementing an "undo"
function called cleanup_udp_tunnel_sock() which properly
takes care or unwinding the encap state.
Implementing this function required some extra changes to the
udp/udp_tunnel code, especially to avoid race conditions with
udp_destroy_sock().
Patch 2: ovpn was holding a reference to a 'struct socket'
without increasing its reference counter. This was intended
and worked as expected until we hit a race condition where
user space tries to close the socket while kernel space is
also releasing it. In this case the (struct socket *)->sk
member would disappear under our feet leading to a null-ptr-deref.
This patch fixes this issue by having ovpn hold a reference
directly to the sk member while also increasing its reference
counter.
Patch 3 and 4 are instead fixing minor issues in the ovpn
kselftests.
Please pull.
Thanks a lot,
Antonio
The following changes since commit b2908a989c594f9eb1c93016abc1382f97ee02b1:
net: phy: add driver for MaxLinear MxL86110 PHY (2025-05-27 09:36:17 +0200)
are available in the Git repository at:
https://github.com/OpenVPN/ovpn-net-next tags/ovpn-net-next-20250527
for you to fetch changes up to 545e4c173cf94b4e5bbfe8ee09de2fbe556bb75a:
selftest/net/ovpn: fix missing file (2025-05-27 13:50:50 +0200)
----------------------------------------------------------------
This bugfix batch includes the following changes:
* dropped call to setup_udp_tunnel_sock() during cleanup,
substituted by new cleanup_udp_tunnel_sock(), which
required:
** implementing udp_tunnel_encap_disable()
** implementing udpv6_encap_disable()
** calling udp_test_and_clear_bit() in udp_destroy_socket()
* fixed race condition between peer removal (by kernel
space) and socket closing (by user space)
* fixes for ovpn kselftests
----------------------------------------------------------------
Antonio Quartulli (4):
ovpn: properly deconfigure UDP-tunnel
ovpn: ensure sk is still valid during cleanup
selftest/net/ovpn: fix TCP socket creation
selftest/net/ovpn: fix missing file
drivers/net/ovpn/io.c | 8 +--
drivers/net/ovpn/netlink.c | 25 ++++----
drivers/net/ovpn/peer.c | 4 +-
drivers/net/ovpn/socket.c | 68 ++++++++++++----------
drivers/net/ovpn/socket.h | 4 +-
drivers/net/ovpn/tcp.c | 65 ++++++++++-----------
drivers/net/ovpn/tcp.h | 3 +-
drivers/net/ovpn/udp.c | 37 ++++--------
drivers/net/ovpn/udp.h | 4 +-
include/linux/udp.h | 2 +
include/net/ipv6_stubs.h | 1 +
include/net/udp.h | 1 +
include/net/udp_tunnel.h | 13 +++++
net/ipv4/udp.c | 2 +-
net/ipv4/udp_tunnel_core.c | 22 +++++++
net/ipv6/af_inet6.c | 1 +
net/ipv6/udp.c | 8 ++-
tools/testing/selftests/net/ovpn/ovpn-cli.c | 1 +
tools/testing/selftests/net/ovpn/test-large-mtu.sh | 9 +++
19 files changed, 167 insertions(+), 111 deletions(-)
create mode 100755 tools/testing/selftests/net/ovpn/test-large-mtu.sh
Powered by blists - more mailing lists