projects / thirdparty / kernel / stable-queue.git / blame
| Commit | Line | Data |
|---|---|---|
| 66d1cac4 GKH |
1 | From foo@baz Thu Mar 29 08:53:48 CEST 2018 |
| 2 | From: Eric Dumazet <edumazet@google.com> | |
| 3 | Date: Tue, 6 Mar 2018 07:54:53 -0800 | |
| 4 | Subject: l2tp: do not accept arbitrary sockets | |
| 5 | ||
| 6 | From: Eric Dumazet <edumazet@google.com> | |
| 7 | ||
| 8 | ||
| 9 | [ Upstream commit 17cfe79a65f98abe535261856c5aef14f306dff7 ] | |
| 10 | ||
| 11 | syzkaller found an issue caused by lack of sufficient checks | |
| 12 | in l2tp_tunnel_create() | |
| 13 | ||
| 14 | RAW sockets can not be considered as UDP ones for instance. | |
| 15 | ||
| 16 | In another patch, we shall replace all pr_err() by less intrusive | |
| 17 | pr_debug() so that syzkaller can find other bugs faster. | |
| 18 | Acked-by: Guillaume Nault <g.nault@alphalink.fr> | |
| 19 | Acked-by: James Chapman <jchapman@katalix.com> | |
| 20 | ||
| 21 | ================================================================== | |
| 22 | BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69 | |
| 23 | dst_release: dst:00000000d53d0d0f refcnt:-1 | |
| 24 | Write of size 1 at addr ffff8801d013b798 by task syz-executor3/6242 | |
| 25 | ||
| 26 | CPU: 1 PID: 6242 Comm: syz-executor3 Not tainted 4.16.0-rc2+ #253 | |
| 27 | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 | |
| 28 | Call Trace: | |
| 29 | __dump_stack lib/dump_stack.c:17 [inline] | |
| 30 | dump_stack+0x194/0x24d lib/dump_stack.c:53 | |
| 31 | print_address_description+0x73/0x250 mm/kasan/report.c:256 | |
| 32 | kasan_report_error mm/kasan/report.c:354 [inline] | |
| 33 | kasan_report+0x23b/0x360 mm/kasan/report.c:412 | |
| 34 | __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435 | |
| 35 | setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69 | |
| 36 | l2tp_tunnel_create+0x1354/0x17f0 net/l2tp/l2tp_core.c:1596 | |
| 37 | pppol2tp_connect+0x14b1/0x1dd0 net/l2tp/l2tp_ppp.c:707 | |
| 38 | SYSC_connect+0x213/0x4a0 net/socket.c:1640 | |
| 39 | SyS_connect+0x24/0x30 net/socket.c:1621 | |
| 40 | do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 | |
| 41 | entry_SYSCALL_64_after_hwframe+0x42/0xb7 | |
| 42 | ||
| 43 | Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") | |
| 44 | Signed-off-by: Eric Dumazet <edumazet@google.com> | |
| 45 | Reported-by: syzbot <syzkaller@googlegroups.com> | |
| 46 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
| 47 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
| 48 | --- | |
| 49 | net/l2tp/l2tp_core.c | 8 ++++++-- | |
| 50 | 1 file changed, 6 insertions(+), 2 deletions(-) | |
| 51 | ||
| 52 | --- a/net/l2tp/l2tp_core.c | |
| 53 | +++ b/net/l2tp/l2tp_core.c | |
| 54 | @@ -1517,9 +1517,14 @@ int l2tp_tunnel_create(struct net *net, | |
| 55 | encap = cfg->encap; | |
| 56 | ||
| 57 | /* Quick sanity checks */ | |
| 58 | + err = -EPROTONOSUPPORT; | |
| 59 | + if (sk->sk_type != SOCK_DGRAM) { | |
| 60 | + pr_debug("tunl %hu: fd %d wrong socket type\n", | |
| 61 | + tunnel_id, fd); | |
| 62 | + goto err; | |
| 63 | + } | |
| 64 | switch (encap) { | |
| 65 | case L2TP_ENCAPTYPE_UDP: | |
| 66 | - err = -EPROTONOSUPPORT; | |
| 67 | if (sk->sk_protocol != IPPROTO_UDP) { | |
| 68 | pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n", | |
| 69 | tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP); | |
| 70 | @@ -1527,7 +1532,6 @@ int l2tp_tunnel_create(struct net *net, | |
| 71 | } | |
| 72 | break; | |
| 73 | case L2TP_ENCAPTYPE_IP: | |
| 74 | - err = -EPROTONOSUPPORT; | |
| 75 | if (sk->sk_protocol != IPPROTO_L2TP) { | |
| 76 | pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n", | |
| 77 | tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP); |