]>
Commit | Line | Data |
---|---|---|
66d1cac4 GKH |
1 | From foo@baz Thu Mar 29 08:53:48 CEST 2018 |
2 | From: Eric Dumazet <edumazet@google.com> | |
3 | Date: Tue, 6 Mar 2018 07:54:53 -0800 | |
4 | Subject: l2tp: do not accept arbitrary sockets | |
5 | ||
6 | From: Eric Dumazet <edumazet@google.com> | |
7 | ||
8 | ||
9 | [ Upstream commit 17cfe79a65f98abe535261856c5aef14f306dff7 ] | |
10 | ||
11 | syzkaller found an issue caused by lack of sufficient checks | |
12 | in l2tp_tunnel_create() | |
13 | ||
14 | RAW sockets can not be considered as UDP ones for instance. | |
15 | ||
16 | In another patch, we shall replace all pr_err() by less intrusive | |
17 | pr_debug() so that syzkaller can find other bugs faster. | |
18 | Acked-by: Guillaume Nault <g.nault@alphalink.fr> | |
19 | Acked-by: James Chapman <jchapman@katalix.com> | |
20 | ||
21 | ================================================================== | |
22 | BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69 | |
23 | dst_release: dst:00000000d53d0d0f refcnt:-1 | |
24 | Write of size 1 at addr ffff8801d013b798 by task syz-executor3/6242 | |
25 | ||
26 | CPU: 1 PID: 6242 Comm: syz-executor3 Not tainted 4.16.0-rc2+ #253 | |
27 | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 | |
28 | Call Trace: | |
29 | __dump_stack lib/dump_stack.c:17 [inline] | |
30 | dump_stack+0x194/0x24d lib/dump_stack.c:53 | |
31 | print_address_description+0x73/0x250 mm/kasan/report.c:256 | |
32 | kasan_report_error mm/kasan/report.c:354 [inline] | |
33 | kasan_report+0x23b/0x360 mm/kasan/report.c:412 | |
34 | __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435 | |
35 | setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69 | |
36 | l2tp_tunnel_create+0x1354/0x17f0 net/l2tp/l2tp_core.c:1596 | |
37 | pppol2tp_connect+0x14b1/0x1dd0 net/l2tp/l2tp_ppp.c:707 | |
38 | SYSC_connect+0x213/0x4a0 net/socket.c:1640 | |
39 | SyS_connect+0x24/0x30 net/socket.c:1621 | |
40 | do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 | |
41 | entry_SYSCALL_64_after_hwframe+0x42/0xb7 | |
42 | ||
43 | Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") | |
44 | Signed-off-by: Eric Dumazet <edumazet@google.com> | |
45 | Reported-by: syzbot <syzkaller@googlegroups.com> | |
46 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
47 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
48 | --- | |
49 | net/l2tp/l2tp_core.c | 8 ++++++-- | |
50 | 1 file changed, 6 insertions(+), 2 deletions(-) | |
51 | ||
52 | --- a/net/l2tp/l2tp_core.c | |
53 | +++ b/net/l2tp/l2tp_core.c | |
54 | @@ -1517,9 +1517,14 @@ int l2tp_tunnel_create(struct net *net, | |
55 | encap = cfg->encap; | |
56 | ||
57 | /* Quick sanity checks */ | |
58 | + err = -EPROTONOSUPPORT; | |
59 | + if (sk->sk_type != SOCK_DGRAM) { | |
60 | + pr_debug("tunl %hu: fd %d wrong socket type\n", | |
61 | + tunnel_id, fd); | |
62 | + goto err; | |
63 | + } | |
64 | switch (encap) { | |
65 | case L2TP_ENCAPTYPE_UDP: | |
66 | - err = -EPROTONOSUPPORT; | |
67 | if (sk->sk_protocol != IPPROTO_UDP) { | |
68 | pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n", | |
69 | tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP); | |
70 | @@ -1527,7 +1532,6 @@ int l2tp_tunnel_create(struct net *net, | |
71 | } | |
72 | break; | |
73 | case L2TP_ENCAPTYPE_IP: | |
74 | - err = -EPROTONOSUPPORT; | |
75 | if (sk->sk_protocol != IPPROTO_L2TP) { | |
76 | pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n", | |
77 | tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP); |