[net] l2tp: do not accept arbitrary sockets

Message ID 1520351693.109662.17.camel@gmail.com
State Accepted
Delegated to: David Miller
Headers show
Series
  • [net] l2tp: do not accept arbitrary sockets
Related show

Commit Message

Eric Dumazet March 6, 2018, 3:54 p.m.
From: Eric Dumazet <edumazet@google.com>

syzkaller found an issue caused by lack of sufficient checks
in l2tp_tunnel_create()

RAW sockets can not be considered as UDP ones for instance.

In another patch, we shall replace all pr_err() by less intrusive
pr_debug() so that syzkaller can find other bugs faster.

Comments

Guillaume Nault March 6, 2018, 6:45 p.m. | #1
On Tue, Mar 06, 2018 at 07:54:53AM -0800, Eric Dumazet wrote:
> From: Eric Dumazet <edumazet@google.com>
> 
> syzkaller found an issue caused by lack of sufficient checks
> in l2tp_tunnel_create()
> 
> RAW sockets can not be considered as UDP ones for instance.
> 
Indeed, missing checks have been the source of so many reports.

Acked-by: Guillaume Nault <g.nault@alphalink.fr>
James Chapman March 6, 2018, 8:26 p.m. | #2
On 6 March 2018 at 15:54, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> From: Eric Dumazet <edumazet@google.com>
>
> syzkaller found an issue caused by lack of sufficient checks
> in l2tp_tunnel_create()
>
> RAW sockets can not be considered as UDP ones for instance.

Acked-by: James Chapman <jchapman@katalix.com>
David Miller March 7, 2018, 6:36 p.m. | #3
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Tue, 06 Mar 2018 07:54:53 -0800

> From: Eric Dumazet <edumazet@google.com>
> 
> syzkaller found an issue caused by lack of sufficient checks
> in l2tp_tunnel_create()
> 
> RAW sockets can not be considered as UDP ones for instance.
> 
> In another patch, we shall replace all pr_err() by less intrusive
> pr_debug() so that syzkaller can find other bugs faster.
 ...
> Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: syzbot <syzkaller@googlegroups.com>

Applied and queued up for -stable, thanks.
Guillaume Nault March 7, 2018, 6:55 p.m. | #4
On Tue, Mar 06, 2018 at 07:54:53AM -0800, Eric Dumazet wrote:
> From: Eric Dumazet <edumazet@google.com>
> 
> In another patch, we shall replace all pr_err() by less intrusive
> pr_debug() so that syzkaller can find other bugs faster.
> 
Or maybe just remove them entirely. These messages aren't very useful
anyway, especially if disabled by default.

Patch

==================================================================
BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
dst_release: dst:00000000d53d0d0f refcnt:-1
Write of size 1 at addr ffff8801d013b798 by task syz-executor3/6242

CPU: 1 PID: 6242 Comm: syz-executor3 Not tainted 4.16.0-rc2+ #253
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23b/0x360 mm/kasan/report.c:412
 __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435
 setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
 l2tp_tunnel_create+0x1354/0x17f0 net/l2tp/l2tp_core.c:1596
 pppol2tp_connect+0x14b1/0x1dd0 net/l2tp/l2tp_ppp.c:707
 SYSC_connect+0x213/0x4a0 net/socket.c:1640
 SyS_connect+0x24/0x30 net/socket.c:1621
 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7


Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
---
 net/l2tp/l2tp_core.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 83421c6f0bef1c48e35fe42000deea456ab1548d..e22512e328273b20b64d49390d0c583b2d960bb8 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1457,9 +1457,14 @@  int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
 		encap = cfg->encap;
 
 	/* Quick sanity checks */
+	err = -EPROTONOSUPPORT;
+	if (sk->sk_type != SOCK_DGRAM) {
+		pr_debug("tunl %hu: fd %d wrong socket type\n",
+			 tunnel_id, fd);
+		goto err;
+	}
 	switch (encap) {
 	case L2TP_ENCAPTYPE_UDP:
-		err = -EPROTONOSUPPORT;
 		if (sk->sk_protocol != IPPROTO_UDP) {
 			pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
 			       tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP);
@@ -1467,7 +1472,6 @@  int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
 		}
 		break;
 	case L2TP_ENCAPTYPE_IP:
-		err = -EPROTONOSUPPORT;
 		if (sk->sk_protocol != IPPROTO_L2TP) {
 			pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
 			       tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP);