redonkable/remarkable-linux
redonkable/remarkable-linux
1
0
Fork 0
Code Releases Activity
remarkable-linux/net/l2tp
History
Eric Dumazet 286c72deab udp: must lock the socket in udp_disconnect() 
Baozeng Ding reported KASAN traces showing uses after free in
udp_lib_get_port() and other related UDP functions.

A CONFIG_DEBUG_PAGEALLOC=y kernel would eventually crash.

I could write a reproducer with two threads doing :

static int sock_fd;
static void *thr1(void *arg)
{
	for (;;) {
		connect(sock_fd, (const struct sockaddr *)arg,
			sizeof(struct sockaddr_in));
	}
}

static void *thr2(void *arg)
{
	struct sockaddr_in unspec;

	for (;;) {
		memset(&unspec, 0, sizeof(unspec));
	        connect(sock_fd, (const struct sockaddr *)&unspec,
			sizeof(unspec));
        }
}

Problem is that udp_disconnect() could run without holding socket lock,
and this was causing list corruptions.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-10-20 14:45:52 -04:00
..
Kconfig l2tp: Call udp_sock_create 2014-07-14 16:12:15 -07:00
l2tp_core.c l2tp: fix use-after-free during module unload 2016-09-02 11:44:44 -07:00
l2tp_core.h l2tp: use IS_ENABLED() instead of checking for built-in or module 2016-09-10 21:19:11 -07:00
l2tp_debugfs.c ipv6: make lookups simpler and faster 2013-10-09 00:01:25 -04:00
l2tp_eth.c l2tp: constify net_device_ops structures 2016-09-17 10:07:23 -04:00
l2tp_ip.c udp: must lock the socket in udp_disconnect() 2016-10-20 14:45:52 -04:00
l2tp_ip6.c udp: must lock the socket in udp_disconnect() 2016-10-20 14:45:52 -04:00
l2tp_netlink.c l2tp: make nla_policy const 2016-09-01 14:09:01 -07:00
l2tp_ppp.c l2tp: use IS_ENABLED() instead of checking for built-in or module 2016-09-10 21:19:11 -07:00
Makefile l2tp: introduce L2TPv3 IP encapsulation support for IPv6 2012-05-01 09:30:55 -04:00