[{"id":1758485,"web_url":"http://patchwork.ozlabs.org/comment/1758485/","msgid":"","list_archive_url":null,"date":"2017-08-28T10:27:54","subject":"ACK: [CVE-2016-10200][SRU][Trusty] l2tp: fix racy SOCK_ZAPPED flag\n\tcheck in l2tp_ip{, 6}_bind()","submitter":{"id":71419,"url":"http://patchwork.ozlabs.org/api/people/71419/","name":"Kleber Sacilotto de Souza","email":"kleber.souza@canonical.com"},"content":"On 08/28/17 10:10, Po-Hsu Lin wrote:\n> From: Guillaume Nault \n> \n> CVE-2016-10200\n> \n> Lock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind().\n> Without lock, a concurrent call could modify the socket flags between\n> the sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way,\n> a socket could be inserted twice in l2tp_ip6_bind_table. Releasing it\n> would then leave a stale pointer there, generating use-after-free\n> errors when walking through the list or modifying adjacent entries.\n> \n> BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr ffff8800081b0ed8\n> Write of size 8 by task syz-executor/10987\n> CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39\n> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014\n> ffff880031d97838 ffffffff829f835b ffff88001b5a1640 ffff8800081b0ec0\n> ffff8800081b15a0 ffff8800081b6d20 ffff880031d97860 ffffffff8174d3cc\n> ffff880031d978f0 ffff8800081b0e80 ffff88001b5a1640 ffff880031d978e0\n> Call Trace:\n> [] dump_stack+0xb3/0x118 lib/dump_stack.c:15\n> [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156\n> [< inline >] print_address_description mm/kasan/report.c:194\n> [] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283\n> [< inline >] kasan_report mm/kasan/report.c:303\n> [] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329\n> [< inline >] __write_once_size ./include/linux/compiler.h:249\n> [< inline >] __hlist_del ./include/linux/list.h:622\n> [< inline >] hlist_del_init ./include/linux/list.h:637\n> [] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239\n> [] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415\n> [] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422\n> [] sock_release+0x8d/0x1d0 net/socket.c:570\n> [] sock_close+0x16/0x20 net/socket.c:1017\n> [] __fput+0x28c/0x780 fs/file_table.c:208\n> [] ____fput+0x15/0x20 fs/file_table.c:244\n> [] task_work_run+0xf9/0x170\n> [] do_exit+0x85e/0x2a00\n> [] do_group_exit+0x108/0x330\n> [] get_signal+0x617/0x17a0 kernel/signal.c:2307\n> [] do_signal+0x7f/0x18f0\n> [] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156\n> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190\n> [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259\n> [] entry_SYSCALL_64_fastpath+0xc4/0xc6\n> Object at ffff8800081b0ec0, in cache L2TP/IPv6 size: 1448\n> Allocated:\n> PID = 10987\n> [ 1116.897025] [] save_stack_trace+0x16/0x20\n> [ 1116.897025] [] save_stack+0x46/0xd0\n> [ 1116.897025] [] kasan_kmalloc+0xad/0xe0\n> [ 1116.897025] [] kasan_slab_alloc+0x12/0x20\n> [ 1116.897025] [< inline >] slab_post_alloc_hook mm/slab.h:417\n> [ 1116.897025] [< inline >] slab_alloc_node mm/slub.c:2708\n> [ 1116.897025] [< inline >] slab_alloc mm/slub.c:2716\n> [ 1116.897025] [] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721\n> [ 1116.897025] [] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326\n> [ 1116.897025] [] sk_alloc+0x38/0xae0 net/core/sock.c:1388\n> [ 1116.897025] [] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182\n> [ 1116.897025] [] __sock_create+0x37b/0x640 net/socket.c:1153\n> [ 1116.897025] [< inline >] sock_create net/socket.c:1193\n> [ 1116.897025] [< inline >] SYSC_socket net/socket.c:1223\n> [ 1116.897025] [] SyS_socket+0xef/0x1b0 net/socket.c:1203\n> [ 1116.897025] [] entry_SYSCALL_64_fastpath+0x23/0xc6\n> Freed:\n> PID = 10987\n> [ 1116.897025] [] save_stack_trace+0x16/0x20\n> [ 1116.897025] [] save_stack+0x46/0xd0\n> [ 1116.897025] [] kasan_slab_free+0x71/0xb0\n> [ 1116.897025] [< inline >] slab_free_hook mm/slub.c:1352\n> [ 1116.897025] [< inline >] slab_free_freelist_hook mm/slub.c:1374\n> [ 1116.897025] [< inline >] slab_free mm/slub.c:2951\n> [ 1116.897025] [] kmem_cache_free+0xc8/0x330 mm/slub.c:2973\n> [ 1116.897025] [< inline >] sk_prot_free net/core/sock.c:1369\n> [ 1116.897025] [] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444\n> [ 1116.897025] [] sk_destruct+0x44/0x80 net/core/sock.c:1452\n> [ 1116.897025] [] __sk_free+0x53/0x220 net/core/sock.c:1460\n> [ 1116.897025] [] sk_free+0x23/0x30 net/core/sock.c:1471\n> [ 1116.897025] [] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589\n> [ 1116.897025] [] l2tp_ip6_close+0x1fe/0x290 net/l2tp/l2tp_ip6.c:243\n> [ 1116.897025] [] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415\n> [ 1116.897025] [] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422\n> [ 1116.897025] [] sock_release+0x8d/0x1d0 net/socket.c:570\n> [ 1116.897025] [] sock_close+0x16/0x20 net/socket.c:1017\n> [ 1116.897025] [] __fput+0x28c/0x780 fs/file_table.c:208\n> [ 1116.897025] [] ____fput+0x15/0x20 fs/file_table.c:244\n> [ 1116.897025] [] task_work_run+0xf9/0x170\n> [ 1116.897025] [] do_exit+0x85e/0x2a00\n> [ 1116.897025] [] do_group_exit+0x108/0x330\n> [ 1116.897025] [] get_signal+0x617/0x17a0 kernel/signal.c:2307\n> [ 1116.897025] [] do_signal+0x7f/0x18f0\n> [ 1116.897025] [] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156\n> [ 1116.897025] [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190\n> [ 1116.897025] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259\n> [ 1116.897025] [] entry_SYSCALL_64_fastpath+0xc4/0xc6\n> Memory state around the buggy address:\n> ffff8800081b0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n> ffff8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n>> ffff8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb\n> ^\n> ffff8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n> ffff8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n> \n> ==================================================================\n> \n> The same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table.\n> \n> Fixes: c51ce49735c1 (\"l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case\")\n> Reported-by: Baozeng Ding \n> Reported-by: Andrey Konovalov \n> Tested-by: Baozeng Ding \n> Signed-off-by: Guillaume Nault \n> Signed-off-by: David S. Miller \n> (cherry picked from commit 32c231164b762dddefa13af5a0101032c70b50ef)\n> Signed-off-by: Po-Hsu Lin \n> ---\n> net/l2tp/l2tp_ip.c | 5 +++--\n> net/l2tp/l2tp_ip6.c | 5 +++--\n> 2 files changed, 6 insertions(+), 4 deletions(-)\n> \n> diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c\n> index da1a1ce..31317f0 100644\n> --- a/net/l2tp/l2tp_ip.c\n> +++ b/net/l2tp/l2tp_ip.c\n> @@ -249,8 +249,6 @@ static int l2tp_ip_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)\n> \tint ret;\n> \tint chk_addr_ret;\n> \n> -\tif (!sock_flag(sk, SOCK_ZAPPED))\n> -\t\treturn -EINVAL;\n> \tif (addr_len < sizeof(struct sockaddr_l2tpip))\n> \t\treturn -EINVAL;\n> \tif (addr->l2tp_family != AF_INET)\n> @@ -265,6 +263,9 @@ static int l2tp_ip_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)\n> \tread_unlock_bh(&l2tp_ip_lock);\n> \n> \tlock_sock(sk);\n> +\tif (!sock_flag(sk, SOCK_ZAPPED))\n> +\t\tgoto out;\n> +\n> \tif (sk->sk_state != TCP_CLOSE || addr_len < sizeof(struct sockaddr_l2tpip))\n> \t\tgoto out;\n> \n> diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c\n> index 99284c5..8e571ef 100644\n> --- a/net/l2tp/l2tp_ip6.c\n> +++ b/net/l2tp/l2tp_ip6.c\n> @@ -264,8 +264,6 @@ static int l2tp_ip6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)\n> \tint addr_type;\n> \tint err;\n> \n> -\tif (!sock_flag(sk, SOCK_ZAPPED))\n> -\t\treturn -EINVAL;\n> \tif (addr->l2tp_family != AF_INET6)\n> \t\treturn -EINVAL;\n> \tif (addr_len < sizeof(*addr))\n> @@ -291,6 +289,9 @@ static int l2tp_ip6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)\n> \tlock_sock(sk);\n> \n> \terr = -EINVAL;\n> +\tif (!sock_flag(sk, SOCK_ZAPPED))\n> +\t\tgoto out_unlock;\n> +\n> \tif (sk->sk_state != TCP_CLOSE)\n> \t\tgoto out_unlock;\n> \n> \n\nAcked-by: Kleber Sacilotto de Souza ","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xgnzB6X0zz9s8P;\n\tMon, 28 Aug 2017 20:28:06 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.76)\n\t(envelope-from )\n\tid 1dmHH1-0006TB-3w; Mon, 28 Aug 2017 10:28:03 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.76) (envelope-from )\n\tid 1dmHGv-0006S3-Tv\n\tfor kernel-team@lists.ubuntu.com; Mon, 28 Aug 2017 10:27:57 +0000","from mail-wr0-f198.google.com ([209.85.128.198])\n\tby youngberry.canonical.com with esmtps\n\t(TLS1.0:RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from )\n\tid 1dmHGv-0003rq-Kc\n\tfor kernel-team@lists.ubuntu.com; Mon, 28 Aug 2017 10:27:57 +0000","by mail-wr0-f198.google.com with SMTP id g23so115269wrg.11\n\tfor ;\n\tMon, 28 Aug 2017 03:27:57 -0700 (PDT)","from ?IPv6:2a02:8109:a540:7e8:61c3:93b3:3501:6e41?\n\t([2a02:8109:a540:7e8:61c3:93b3:3501:6e41])\n\tby smtp.gmail.com with ESMTPSA id r4sm21171edd.57.2017.08.28.03.27.55\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tMon, 28 Aug 2017 03:27:55 -0700 (PDT)"],"X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:subject:to:references:from:message-id:date\n\t:user-agent:mime-version:in-reply-to:content-language\n\t:content-transfer-encoding;\n\tbh=rxGATJ8hJkiTqXmpG6cT0d43LxLI6gsIicNyo0e4jb8=;\n\tb=MTHJJvnqNwbcmPmg6VMu5tYFwePvoXvHu0i647wjaYZHiZ8WVoDmJLlYFlH9bFoYyD\n\tvpxK2UpKmYtPi6/aUwFLk4vdTgA9rgTI08u28PPPh4kEisCz75Uk6CuHID69sKaEMPjA\n\tiyJRI0wnF+YwKZGFdQwY6UVCCDOhOFP7pFf058B//yD2KlvzEWMQOmd4BWiP5ByN/KCc\n\thS+pId4MyNXkPDbi0B2zEnpEgxFdJZkS6oga4tQ53xVjDVPA6RBJPJo+ymvfV0EFd0WU\n\tZ8qq+ZJc2nR4zompR+3y78QhgqCAInG88DMOGIv/EItz+VnqwHI8vu69HlQP38WmHSAs\n\tDoZQ==","X-Gm-Message-State":"AHYfb5gXp6hZ2KF++bW+BQJeZKwLXvlpqK91J1p2OoDYGIvsRP2Gt54G\n\tA/UeSPitk6upXgbS84qdId3O54JGdMhxW2roXF+ikGrDB9waVToMDTS+goUV87F8v2uBXvGfTII\n\tJOZpMzRd6/oIYTnv/7PTZaWW8h8L1QgYk","X-Received":["by 10.80.169.97 with SMTP id m30mr79754edc.115.1503916076920;\n\tMon, 28 Aug 2017 03:27:56 -0700 (PDT)","by 10.80.169.97 with SMTP id m30mr79746edc.115.1503916076632;\n\tMon, 28 Aug 2017 03:27:56 -0700 (PDT)"],"Subject":"ACK: [CVE-2016-10200][SRU][Trusty] l2tp: fix racy SOCK_ZAPPED flag\n\tcheck in l2tp_ip{, 6}_bind()","To":"Po-Hsu Lin , kernel-team@lists.ubuntu.com","References":"<20170828081014.24028-1-po-hsu.lin@canonical.com>","From":"Kleber Souza ","Message-ID":"","Date":"Mon, 28 Aug 2017 12:27:54 +0200","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.2.1","MIME-Version":"1.0","In-Reply-To":"<20170828081014.24028-1-po-hsu.lin@canonical.com>","Content-Language":"en-US","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.14","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"kernel-team-bounces@lists.ubuntu.com"}},{"id":1759112,"web_url":"http://patchwork.ozlabs.org/comment/1759112/","msgid":"<654a3da5-b1bd-ced8-d1cd-70b38a1f30e4@canonical.com>","list_archive_url":null,"date":"2017-08-29T08:14:08","subject":"ACK: [CVE-2016-10200][SRU][Trusty] l2tp: fix racy SOCK_ZAPPED flag\n\tcheck in l2tp_ip{, 6}_bind()","submitter":{"id":2898,"url":"http://patchwork.ozlabs.org/api/people/2898/","name":"Stefan Bader","email":"stefan.bader@canonical.com"},"content":"On 28.08.2017 10:10, Po-Hsu Lin wrote:\n> From: Guillaume Nault \n> \n> CVE-2016-10200\n> \n> Lock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind().\n> Without lock, a concurrent call could modify the socket flags between\n> the sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way,\n> a socket could be inserted twice in l2tp_ip6_bind_table. Releasing it\n> would then leave a stale pointer there, generating use-after-free\n> errors when walking through the list or modifying adjacent entries.\n> \n> BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr ffff8800081b0ed8\n> Write of size 8 by task syz-executor/10987\n> CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39\n> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014\n> ffff880031d97838 ffffffff829f835b ffff88001b5a1640 ffff8800081b0ec0\n> ffff8800081b15a0 ffff8800081b6d20 ffff880031d97860 ffffffff8174d3cc\n> ffff880031d978f0 ffff8800081b0e80 ffff88001b5a1640 ffff880031d978e0\n> Call Trace:\n> [] dump_stack+0xb3/0x118 lib/dump_stack.c:15\n> [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156\n> [< inline >] print_address_description mm/kasan/report.c:194\n> [] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283\n> [< inline >] kasan_report mm/kasan/report.c:303\n> [] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329\n> [< inline >] __write_once_size ./include/linux/compiler.h:249\n> [< inline >] __hlist_del ./include/linux/list.h:622\n> [< inline >] hlist_del_init ./include/linux/list.h:637\n> [] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239\n> [] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415\n> [] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422\n> [] sock_release+0x8d/0x1d0 net/socket.c:570\n> [] sock_close+0x16/0x20 net/socket.c:1017\n> [] __fput+0x28c/0x780 fs/file_table.c:208\n> [] ____fput+0x15/0x20 fs/file_table.c:244\n> [] task_work_run+0xf9/0x170\n> [] do_exit+0x85e/0x2a00\n> [] do_group_exit+0x108/0x330\n> [] get_signal+0x617/0x17a0 kernel/signal.c:2307\n> [] do_signal+0x7f/0x18f0\n> [] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156\n> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190\n> [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259\n> [] entry_SYSCALL_64_fastpath+0xc4/0xc6\n> Object at ffff8800081b0ec0, in cache L2TP/IPv6 size: 1448\n> Allocated:\n> PID = 10987\n> [ 1116.897025] [] save_stack_trace+0x16/0x20\n> [ 1116.897025] [] save_stack+0x46/0xd0\n> [ 1116.897025] [] kasan_kmalloc+0xad/0xe0\n> [ 1116.897025] [] kasan_slab_alloc+0x12/0x20\n> [ 1116.897025] [< inline >] slab_post_alloc_hook mm/slab.h:417\n> [ 1116.897025] [< inline >] slab_alloc_node mm/slub.c:2708\n> [ 1116.897025] [< inline >] slab_alloc mm/slub.c:2716\n> [ 1116.897025] [] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721\n> [ 1116.897025] [] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326\n> [ 1116.897025] [] sk_alloc+0x38/0xae0 net/core/sock.c:1388\n> [ 1116.897025] [] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182\n> [ 1116.897025] [] __sock_create+0x37b/0x640 net/socket.c:1153\n> [ 1116.897025] [< inline >] sock_create net/socket.c:1193\n> [ 1116.897025] [< inline >] SYSC_socket net/socket.c:1223\n> [ 1116.897025] [] SyS_socket+0xef/0x1b0 net/socket.c:1203\n> [ 1116.897025] [] entry_SYSCALL_64_fastpath+0x23/0xc6\n> Freed:\n> PID = 10987\n> [ 1116.897025] [] save_stack_trace+0x16/0x20\n> [ 1116.897025] [] save_stack+0x46/0xd0\n> [ 1116.897025] [] kasan_slab_free+0x71/0xb0\n> [ 1116.897025] [< inline >] slab_free_hook mm/slub.c:1352\n> [ 1116.897025] [< inline >] slab_free_freelist_hook mm/slub.c:1374\n> [ 1116.897025] [< inline >] slab_free mm/slub.c:2951\n> [ 1116.897025] [] kmem_cache_free+0xc8/0x330 mm/slub.c:2973\n> [ 1116.897025] [< inline >] sk_prot_free net/core/sock.c:1369\n> [ 1116.897025] [] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444\n> [ 1116.897025] [] sk_destruct+0x44/0x80 net/core/sock.c:1452\n> [ 1116.897025] [] __sk_free+0x53/0x220 net/core/sock.c:1460\n> [ 1116.897025] [] sk_free+0x23/0x30 net/core/sock.c:1471\n> [ 1116.897025] [] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589\n> [ 1116.897025] [] l2tp_ip6_close+0x1fe/0x290 net/l2tp/l2tp_ip6.c:243\n> [ 1116.897025] [] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415\n> [ 1116.897025] [] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422\n> [ 1116.897025] [] sock_release+0x8d/0x1d0 net/socket.c:570\n> [ 1116.897025] [] sock_close+0x16/0x20 net/socket.c:1017\n> [ 1116.897025] [] __fput+0x28c/0x780 fs/file_table.c:208\n> [ 1116.897025] [] ____fput+0x15/0x20 fs/file_table.c:244\n> [ 1116.897025] [] task_work_run+0xf9/0x170\n> [ 1116.897025] [] do_exit+0x85e/0x2a00\n> [ 1116.897025] [] do_group_exit+0x108/0x330\n> [ 1116.897025] [] get_signal+0x617/0x17a0 kernel/signal.c:2307\n> [ 1116.897025] [] do_signal+0x7f/0x18f0\n> [ 1116.897025] [] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156\n> [ 1116.897025] [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190\n> [ 1116.897025] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259\n> [ 1116.897025] [] entry_SYSCALL_64_fastpath+0xc4/0xc6\n> Memory state around the buggy address:\n> ffff8800081b0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n> ffff8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n>> ffff8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb\n> ^\n> ffff8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n> ffff8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n> \n> ==================================================================\n> \n> The same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table.\n> \n> Fixes: c51ce49735c1 (\"l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case\")\n> Reported-by: Baozeng Ding \n> Reported-by: Andrey Konovalov \n> Tested-by: Baozeng Ding \n> Signed-off-by: Guillaume Nault \n> Signed-off-by: David S. Miller \n> (cherry picked from commit 32c231164b762dddefa13af5a0101032c70b50ef)\n> Signed-off-by: Po-Hsu Lin \nAcked-by: Stefan Bader \n\n> ---\n> net/l2tp/l2tp_ip.c | 5 +++--\n> net/l2tp/l2tp_ip6.c | 5 +++--\n> 2 files changed, 6 insertions(+), 4 deletions(-)\n> \n> diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c\n> index da1a1ce..31317f0 100644\n> --- a/net/l2tp/l2tp_ip.c\n> +++ b/net/l2tp/l2tp_ip.c\n> @@ -249,8 +249,6 @@ static int l2tp_ip_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)\n> \tint ret;\n> \tint chk_addr_ret;\n> \n> -\tif (!sock_flag(sk, SOCK_ZAPPED))\n> -\t\treturn -EINVAL;\n> \tif (addr_len < sizeof(struct sockaddr_l2tpip))\n> \t\treturn -EINVAL;\n> \tif (addr->l2tp_family != AF_INET)\n> @@ -265,6 +263,9 @@ static int l2tp_ip_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)\n> \tread_unlock_bh(&l2tp_ip_lock);\n> \n> \tlock_sock(sk);\n> +\tif (!sock_flag(sk, SOCK_ZAPPED))\n> +\t\tgoto out;\n> +\n> \tif (sk->sk_state != TCP_CLOSE || addr_len < sizeof(struct sockaddr_l2tpip))\n> \t\tgoto out;\n> \n> diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c\n> index 99284c5..8e571ef 100644\n> --- a/net/l2tp/l2tp_ip6.c\n> +++ b/net/l2tp/l2tp_ip6.c\n> @@ -264,8 +264,6 @@ static int l2tp_ip6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)\n> \tint addr_type;\n> \tint err;\n> \n> -\tif (!sock_flag(sk, SOCK_ZAPPED))\n> -\t\treturn -EINVAL;\n> \tif (addr->l2tp_family != AF_INET6)\n> \t\treturn -EINVAL;\n> \tif (addr_len < sizeof(*addr))\n> @@ -291,6 +289,9 @@ static int l2tp_ip6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)\n> \tlock_sock(sk);\n> \n> \terr = -EINVAL;\n> +\tif (!sock_flag(sk, SOCK_ZAPPED))\n> +\t\tgoto out_unlock;\n> +\n> \tif (sk->sk_state != TCP_CLOSE)\n> \t\tgoto out_unlock;\n> \n>","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xhLyK1Kkgz9t3B;\n\tTue, 29 Aug 2017 18:14:17 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.76)\n\t(envelope-from )\n\tid 1dmbf3-0005Ye-Ny; Tue, 29 Aug 2017 08:14:13 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.76) (envelope-from )\n\tid 1dmbez-0005YV-NW\n\tfor kernel-team@lists.ubuntu.com; Tue, 29 Aug 2017 08:14:09 +0000","from 1.general.smb.uk.vpn ([10.172.193.28])\n\tby youngberry.canonical.com with esmtpsa\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from )\n\tid 1dmbez-0003e3-E4\n\tfor kernel-team@lists.ubuntu.com; Tue, 29 Aug 2017 08:14:09 +0000"],"Subject":"ACK: [CVE-2016-10200][SRU][Trusty] l2tp: fix racy SOCK_ZAPPED flag\n\tcheck in l2tp_ip{, 6}_bind()","To":"kernel-team@lists.ubuntu.com","References":"<20170828081014.24028-1-po-hsu.lin@canonical.com>","From":"Stefan Bader ","Message-ID":"<654a3da5-b1bd-ced8-d1cd-70b38a1f30e4@canonical.com>","Date":"Tue, 29 Aug 2017 10:14:08 +0200","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.2.1","MIME-Version":"1.0","In-Reply-To":"<20170828081014.24028-1-po-hsu.lin@canonical.com>","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.14","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"multipart/mixed;\n\tboundary=\"===============1840050919985537468==\"","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"kernel-team-bounces@lists.ubuntu.com"}},{"id":1759419,"web_url":"http://patchwork.ozlabs.org/comment/1759419/","msgid":"","list_archive_url":null,"date":"2017-08-29T14:59:02","subject":"APPLIED: [CVE-2016-10200][SRU][Trusty] l2tp: fix racy SOCK_ZAPPED\n\tflag check in l2tp_ip{, 6}_bind()","submitter":{"id":71419,"url":"http://patchwork.ozlabs.org/api/people/71419/","name":"Kleber Sacilotto de Souza","email":"kleber.souza@canonical.com"},"content":"Applied on trusty/master-next branch. Thanks.","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xhWxb3S0tz9sR9;\n\tWed, 30 Aug 2017 00:59:15 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.76)\n\t(envelope-from )\n\tid 1dmhyx-0007h8-TA; Tue, 29 Aug 2017 14:59:11 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.76) (envelope-from )\n\tid 1dmhyr-0007gu-Jg\n\tfor kernel-team@lists.ubuntu.com; Tue, 29 Aug 2017 14:59:05 +0000","from mail-wm0-f70.google.com ([74.125.82.70])\n\tby youngberry.canonical.com with esmtps\n\t(TLS1.0:RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from )\n\tid 1dmhyr-0006yg-B6\n\tfor kernel-team@lists.ubuntu.com; Tue, 29 Aug 2017 14:59:05 +0000","by mail-wm0-f70.google.com with SMTP id v2so4623067wmd.11\n\tfor ;\n\tTue, 29 Aug 2017 07:59:05 -0700 (PDT)","from ?IPv6:2a02:8109:a540:7e8:61c3:93b3:3501:6e41?\n\t([2a02:8109:a540:7e8:61c3:93b3:3501:6e41])\n\tby smtp.gmail.com with ESMTPSA id\n\tb10sm1484831edk.35.2017.08.29.07.59.03\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tTue, 29 Aug 2017 07:59:03 -0700 (PDT)"],"X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:subject:to:references:from:message-id:date\n\t:user-agent:mime-version:in-reply-to:content-language\n\t:content-transfer-encoding;\n\tbh=1XMKtIgAYGzromFi5fbNdFSes0QHwzg2b7Nq1fFF+DY=;\n\tb=dkZFFuZCBzvMWhsnAwVlEzoY4dFQoMZBiSgGZhNMKf9Ce1eizE7myN+GUexjI9bzEk\n\tBnjPzKKx50an9oSK1k0AfjobauJv0ypCa7PzKTCRaRoWtLZa4MveFhyliXEMc2JkSgTw\n\t1KO+jdbqRdNqL9msSmFThzPpnCIr79OegEhYkm0/N6dXdSbQ/XBqhgWzvoRQy21FC16t\n\tuRXrB8TJm5nzbzSTn04EGQ6OjUk/umOb1/cbKTDQhiCHE/DO9PJL4yyPKsaCuyYTgoOo\n\tzDnNpv4DHukmjS7GY10gGDQdQaVNdHl4aktLO/igb4/OEWBnyNGgsa6WZFsDuC8/UozE\n\t8OkA==","X-Gm-Message-State":"AHYfb5i0dk94K/G0A0VPqgXkdEZ2L+mwwfvCmQN/QbFAPLDl8uJvtNDa\n\tdqxvKGqHoZkiJcwTXHh0YX5gVUYgGEMCuRVzyBiPa/b8hFtCtfF66bvGE62NQFvnbYmmslYSRnC\n\toyOi0a9g6scFlLxDFWzyqMQnDVxFLpVRi","X-Received":["by 10.80.177.97 with SMTP id l30mr3670987edd.195.1504018744725; \n\tTue, 29 Aug 2017 07:59:04 -0700 (PDT)","by 10.80.177.97 with SMTP id l30mr3670967edd.195.1504018744306; \n\tTue, 29 Aug 2017 07:59:04 -0700 (PDT)"],"Subject":"APPLIED: [CVE-2016-10200][SRU][Trusty] l2tp: fix racy SOCK_ZAPPED\n\tflag check in l2tp_ip{, 6}_bind()","To":"Po-Hsu Lin , kernel-team@lists.ubuntu.com","References":"<20170828081014.24028-1-po-hsu.lin@canonical.com>","From":"Kleber Souza ","Message-ID":"","Date":"Tue, 29 Aug 2017 16:59:02 +0200","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.2.1","MIME-Version":"1.0","In-Reply-To":"<20170828081014.24028-1-po-hsu.lin@canonical.com>","Content-Language":"en-US","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.14","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"kernel-team-bounces@lists.ubuntu.com"}}]