Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 806433,
    "url": "http://patchwork.ozlabs.org/api/patches/806433/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20170828081014.24028-1-po-hsu.lin@canonical.com/",
    "project": {
        "id": 15,
        "url": "http://patchwork.ozlabs.org/api/projects/15/?format=api",
        "name": "Ubuntu Kernel",
        "link_name": "ubuntu-kernel",
        "list_id": "kernel-team.lists.ubuntu.com",
        "list_email": "kernel-team@lists.ubuntu.com",
        "web_url": null,
        "scm_url": null,
        "webscm_url": null,
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20170828081014.24028-1-po-hsu.lin@canonical.com>",
    "list_archive_url": null,
    "date": "2017-08-28T08:10:14",
    "name": "[CVE-2016-10200,SRU,Trusty] l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{, 6}_bind()",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "8371ac27ffa6e15085847cee5515e2db462d74eb",
    "submitter": {
        "id": 70488,
        "url": "http://patchwork.ozlabs.org/api/people/70488/?format=api",
        "name": "Po-Hsu Lin",
        "email": "po-hsu.lin@canonical.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20170828081014.24028-1-po-hsu.lin@canonical.com/mbox/",
    "series": [
        {
            "id": 99,
            "url": "http://patchwork.ozlabs.org/api/series/99/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=99",
            "date": "2017-08-28T08:10:14",
            "name": "[CVE-2016-10200,SRU,Trusty] l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{, 6}_bind()",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/99/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/806433/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/806433/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<kernel-team-bounces@lists.ubuntu.com>",
        "X-Original-To": "incoming@patchwork.ozlabs.org",
        "Delivered-To": "patchwork-incoming@bilbo.ozlabs.org",
        "Authentication-Results": "ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=<UNKNOWN>)",
        "Received": [
            "from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xgkwV3qzqz9sPt;\n\tMon, 28 Aug 2017 18:10:34 +1000 (AEST)",
            "from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.76)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1dmF7r-00060Q-Cc; Mon, 28 Aug 2017 08:10:27 +0000",
            "from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.76) (envelope-from <po-hsu.lin@canonical.com>)\n\tid 1dmF7n-00060G-AA\n\tfor kernel-team@lists.ubuntu.com; Mon, 28 Aug 2017 08:10:23 +0000",
            "from mail-pf0-f198.google.com ([209.85.192.198])\n\tby youngberry.canonical.com with esmtps\n\t(TLS1.0:RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from <po-hsu.lin@canonical.com>)\n\tid 1dmF7m-0002X4-Te\n\tfor kernel-team@lists.ubuntu.com; Mon, 28 Aug 2017 08:10:23 +0000",
            "by mail-pf0-f198.google.com with SMTP id r187so13716757pfr.8\n\tfor <kernel-team@lists.ubuntu.com>;\n\tMon, 28 Aug 2017 01:10:22 -0700 (PDT)",
            "from localhost.localdomain ([175.41.48.77])\n\tby smtp.gmail.com with ESMTPSA id\n\t2sm22396054pfi.104.2017.08.28.01.10.19\n\tfor <kernel-team@lists.ubuntu.com>\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tMon, 28 Aug 2017 01:10:20 -0700 (PDT)"
        ],
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:from:to:subject:date:message-id;\n\tbh=fuNS9l3W3PaXwneowlOxnw776pLBxXjgBGGECqspWpQ=;\n\tb=CglI+TnC2t95+E7tlV3lXB30U5fSXkUd1xRbY+pWDwpMt2gAOEGABLd9J8qeC1CxH+\n\tlJbzD/IUoF88VUjEriiC7pnNEqAhfCu84uKFzcUyxSLUuSqfeUzlqnz7XJGxGglkWAIM\n\tUWRlU/Vr5i3mBiWs8Iuay2uuV5+5bjXRrH7I1bv/ktPsIE8dhefc3pKvbtJx7qENn1QR\n\tP37tl+NvhWxvMsEQGjmcd6Ii9Hahp+bXuY4FPy7X9PssyeVjc8temAukdcZoZOvBHLIB\n\tOS3K5/sizmZDhE2WgiQTV3dfZGvVMkFjvXudb15luNUMY/Nh3OARZMMafVbGoC+yTDOn\n\tLraw==",
        "X-Gm-Message-State": "AHYfb5izPrg5OfmNtxu76V3H3r0UJkkf840aV/Mwoe55Q0VAWYMiphHd\n\tpFJ202v9zwYzw+nuVhyluFNWmD0k2Mqf7HQTz7HVEeolzppjpz412PVSZFcFSk5r8/pcWPxaoOu\n\t9zI0JX5VhnMV7++rHD/uRWyjhbCua9BE6",
        "X-Received": [
            "by 10.98.54.195 with SMTP id d186mr6604630pfa.57.1503907821256; \n\tMon, 28 Aug 2017 01:10:21 -0700 (PDT)",
            "by 10.98.54.195 with SMTP id d186mr6604617pfa.57.1503907820935; \n\tMon, 28 Aug 2017 01:10:20 -0700 (PDT)"
        ],
        "From": "Po-Hsu Lin <po-hsu.lin@canonical.com>",
        "To": "kernel-team@lists.ubuntu.com",
        "Subject": "[CVE-2016-10200][SRU][Trusty] l2tp: fix racy SOCK_ZAPPED flag check\n\tin l2tp_ip{, 6}_bind()",
        "Date": "Mon, 28 Aug 2017 16:10:14 +0800",
        "Message-Id": "<20170828081014.24028-1-po-hsu.lin@canonical.com>",
        "X-Mailer": "git-send-email 2.11.0",
        "X-BeenThere": "kernel-team@lists.ubuntu.com",
        "X-Mailman-Version": "2.1.14",
        "Precedence": "list",
        "List-Id": "Kernel team discussions <kernel-team.lists.ubuntu.com>",
        "List-Unsubscribe": "<https://lists.ubuntu.com/mailman/options/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>",
        "List-Archive": "<https://lists.ubuntu.com/archives/kernel-team>",
        "List-Post": "<mailto:kernel-team@lists.ubuntu.com>",
        "List-Help": "<mailto:kernel-team-request@lists.ubuntu.com?subject=help>",
        "List-Subscribe": "<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>",
        "MIME-Version": "1.0",
        "Content-Type": "text/plain; charset=\"us-ascii\"",
        "Content-Transfer-Encoding": "7bit",
        "Errors-To": "kernel-team-bounces@lists.ubuntu.com",
        "Sender": "kernel-team-bounces@lists.ubuntu.com"
    },
    "content": "From: Guillaume Nault <g.nault@alphalink.fr>\n\nCVE-2016-10200\n\nLock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind().\nWithout lock, a concurrent call could modify the socket flags between\nthe sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way,\na socket could be inserted twice in l2tp_ip6_bind_table. Releasing it\nwould then leave a stale pointer there, generating use-after-free\nerrors when walking through the list or modifying adjacent entries.\n\nBUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr ffff8800081b0ed8\nWrite of size 8 by task syz-executor/10987\nCPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014\n ffff880031d97838 ffffffff829f835b ffff88001b5a1640 ffff8800081b0ec0\n ffff8800081b15a0 ffff8800081b6d20 ffff880031d97860 ffffffff8174d3cc\n ffff880031d978f0 ffff8800081b0e80 ffff88001b5a1640 ffff880031d978e0\nCall Trace:\n [<ffffffff829f835b>] dump_stack+0xb3/0x118 lib/dump_stack.c:15\n [<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156\n [<     inline     >] print_address_description mm/kasan/report.c:194\n [<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283\n [<     inline     >] kasan_report mm/kasan/report.c:303\n [<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329\n [<     inline     >] __write_once_size ./include/linux/compiler.h:249\n [<     inline     >] __hlist_del ./include/linux/list.h:622\n [<     inline     >] hlist_del_init ./include/linux/list.h:637\n [<ffffffff8579047e>] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239\n [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415\n [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422\n [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570\n [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017\n [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208\n [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244\n [<ffffffff813774f9>] task_work_run+0xf9/0x170\n [<ffffffff81324aae>] do_exit+0x85e/0x2a00\n [<ffffffff81326dc8>] do_group_exit+0x108/0x330\n [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307\n [<ffffffff811b49af>] do_signal+0x7f/0x18f0\n [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156\n [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:190\n [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259\n [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6\nObject at ffff8800081b0ec0, in cache L2TP/IPv6 size: 1448\nAllocated:\nPID = 10987\n [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20\n [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0\n [ 1116.897025] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0\n [ 1116.897025] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20\n [ 1116.897025] [<     inline     >] slab_post_alloc_hook mm/slab.h:417\n [ 1116.897025] [<     inline     >] slab_alloc_node mm/slub.c:2708\n [ 1116.897025] [<     inline     >] slab_alloc mm/slub.c:2716\n [ 1116.897025] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721\n [ 1116.897025] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326\n [ 1116.897025] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 net/core/sock.c:1388\n [ 1116.897025] [<ffffffff851ddf67>] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182\n [ 1116.897025] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 net/socket.c:1153\n [ 1116.897025] [<     inline     >] sock_create net/socket.c:1193\n [ 1116.897025] [<     inline     >] SYSC_socket net/socket.c:1223\n [ 1116.897025] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 net/socket.c:1203\n [ 1116.897025] [<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6\nFreed:\nPID = 10987\n [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20\n [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0\n [ 1116.897025] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0\n [ 1116.897025] [<     inline     >] slab_free_hook mm/slub.c:1352\n [ 1116.897025] [<     inline     >] slab_free_freelist_hook mm/slub.c:1374\n [ 1116.897025] [<     inline     >] slab_free mm/slub.c:2951\n [ 1116.897025] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 mm/slub.c:2973\n [ 1116.897025] [<     inline     >] sk_prot_free net/core/sock.c:1369\n [ 1116.897025] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444\n [ 1116.897025] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 net/core/sock.c:1452\n [ 1116.897025] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 net/core/sock.c:1460\n [ 1116.897025] [<ffffffff84c5af23>] sk_free+0x23/0x30 net/core/sock.c:1471\n [ 1116.897025] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589\n [ 1116.897025] [<ffffffff8579044e>] l2tp_ip6_close+0x1fe/0x290 net/l2tp/l2tp_ip6.c:243\n [ 1116.897025] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415\n [ 1116.897025] [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422\n [ 1116.897025] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570\n [ 1116.897025] [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017\n [ 1116.897025] [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208\n [ 1116.897025] [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244\n [ 1116.897025] [<ffffffff813774f9>] task_work_run+0xf9/0x170\n [ 1116.897025] [<ffffffff81324aae>] do_exit+0x85e/0x2a00\n [ 1116.897025] [<ffffffff81326dc8>] do_group_exit+0x108/0x330\n [ 1116.897025] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307\n [ 1116.897025] [<ffffffff811b49af>] do_signal+0x7f/0x18f0\n [ 1116.897025] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156\n [ 1116.897025] [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:190\n [ 1116.897025] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259\n [ 1116.897025] [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6\nMemory state around the buggy address:\n ffff8800081b0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n>ffff8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb\n                                                    ^\n ffff8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb",
    "diff": "==================================================================\n\nThe same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table.\n\nFixes: c51ce49735c1 (\"l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case\")\nReported-by: Baozeng Ding <sploving1@gmail.com>\nReported-by: Andrey Konovalov <andreyknvl@google.com>\nTested-by: Baozeng Ding <sploving1@gmail.com>\nSigned-off-by: Guillaume Nault <g.nault@alphalink.fr>\nSigned-off-by: David S. Miller <davem@davemloft.net>\n(cherry picked from commit 32c231164b762dddefa13af5a0101032c70b50ef)\nSigned-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>\n---\n net/l2tp/l2tp_ip.c  | 5 +++--\n net/l2tp/l2tp_ip6.c | 5 +++--\n 2 files changed, 6 insertions(+), 4 deletions(-)\n\ndiff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c\nindex da1a1ce..31317f0 100644\n--- a/net/l2tp/l2tp_ip.c\n+++ b/net/l2tp/l2tp_ip.c\n@@ -249,8 +249,6 @@ static int l2tp_ip_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)\n \tint ret;\n \tint chk_addr_ret;\n \n-\tif (!sock_flag(sk, SOCK_ZAPPED))\n-\t\treturn -EINVAL;\n \tif (addr_len < sizeof(struct sockaddr_l2tpip))\n \t\treturn -EINVAL;\n \tif (addr->l2tp_family != AF_INET)\n@@ -265,6 +263,9 @@ static int l2tp_ip_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)\n \tread_unlock_bh(&l2tp_ip_lock);\n \n \tlock_sock(sk);\n+\tif (!sock_flag(sk, SOCK_ZAPPED))\n+\t\tgoto out;\n+\n \tif (sk->sk_state != TCP_CLOSE || addr_len < sizeof(struct sockaddr_l2tpip))\n \t\tgoto out;\n \ndiff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c\nindex 99284c5..8e571ef 100644\n--- a/net/l2tp/l2tp_ip6.c\n+++ b/net/l2tp/l2tp_ip6.c\n@@ -264,8 +264,6 @@ static int l2tp_ip6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)\n \tint addr_type;\n \tint err;\n \n-\tif (!sock_flag(sk, SOCK_ZAPPED))\n-\t\treturn -EINVAL;\n \tif (addr->l2tp_family != AF_INET6)\n \t\treturn -EINVAL;\n \tif (addr_len < sizeof(*addr))\n@@ -291,6 +289,9 @@ static int l2tp_ip6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)\n \tlock_sock(sk);\n \n \terr = -EINVAL;\n+\tif (!sock_flag(sk, SOCK_ZAPPED))\n+\t\tgoto out_unlock;\n+\n \tif (sk->sk_state != TCP_CLOSE)\n \t\tgoto out_unlock;\n \n",
    "prefixes": [
        "CVE-2016-10200",
        "SRU",
        "Trusty"
    ]
}