提交 9e00bd66 编写于 作者: J Jakub Sitnicki 提交者: Yongqiang Liu

l2tp: Serialize access to sk_user_data with sk_callback_lock

mainline inclusion
from mainline-v6.1-rc6
commit b68777d5
category: bugfix
bugzilla: 188056, https://gitee.com/src-openeuler/kernel/issues/I62RNU
CVE: CVE-2022-4129

--------------------------------

sk->sk_user_data has multiple users, which are not compatible with each
other. Writers must synchronize by grabbing the sk->sk_callback_lock.

l2tp currently fails to grab the lock when modifying the underlying tunnel
socket fields. Fix it by adding appropriate locking.

We err on the side of safety and grab the sk_callback_lock also inside the
sk_destruct callback overridden by l2tp, even though there should be no
refs allowing access to the sock at the time when sk_destruct gets called.

v4:
- serialize write to sk_user_data in l2tp sk_destruct

v3:
- switch from sock lock to sk_callback_lock
- document write-protection for sk_user_data

v2:
- update Fixes to point to origin of the bug
- use real names in Reported/Tested-by tags

Cc: Tom Parkin <tparkin@katalix.com>
Fixes: 3557baab ("[L2TP]: PPP over L2TP driver core")
Reported-by: NHaowei Yan <g1042620637@gmail.com>
Signed-off-by: NJakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

conflict:
	net/l2tp/l2tp_core.c
Signed-off-by: NLu Wei <luwei32@huawei.com>
Reviewed-by: NLiu Jian <liujian56@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>
上级 150b3f83
......@@ -304,7 +304,7 @@ struct sock_common {
* @sk_tskey: counter to disambiguate concurrent tstamp requests
* @sk_zckey: counter to order MSG_ZEROCOPY notifications
* @sk_socket: Identd and reporting IO signals
* @sk_user_data: RPC layer private data
* @sk_user_data: RPC layer private data. Write-protected by @sk_callback_lock.
* @sk_frag: cached page frag
* @sk_peek_off: current peek_offset value
* @sk_send_head: front of stuff to transmit
......
......@@ -1172,8 +1172,10 @@ static void l2tp_tunnel_destruct(struct sock *sk)
}
/* Remove hooks into tunnel socket */
write_lock_bh(&sk->sk_callback_lock);
sk->sk_destruct = tunnel->old_sk_destruct;
sk->sk_user_data = NULL;
write_unlock_bh(&sk->sk_callback_lock);
/* Call the original destructor */
if (sk->sk_destruct)
......@@ -1492,12 +1494,15 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
sock = sockfd_lookup(tunnel->fd, &ret);
if (!sock)
goto err;
ret = l2tp_validate_socket(sock->sk, net, tunnel->encap);
if (ret < 0)
goto err_sock;
}
sk = sock->sk;
write_lock(&sk->sk_callback_lock);
ret = l2tp_validate_socket(sk, net, tunnel->encap);
if (ret < 0)
goto err_sock;
tunnel->l2tp_net = net;
pn = l2tp_pernet(net);
......@@ -1513,7 +1518,6 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
sk = sock->sk;
sock_hold(sk);
tunnel->sock = sk;
......@@ -1527,7 +1531,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
setup_udp_tunnel_sock(net, sock, &udp_cfg);
} else {
sk->sk_user_data = tunnel;
rcu_assign_sk_user_data(sk, tunnel);
}
tunnel->old_sk_destruct = sk->sk_destruct;
......@@ -1539,6 +1543,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
if (tunnel->fd >= 0)
sockfd_put(sock);
write_unlock(&sk->sk_callback_lock);
return 0;
err_sock:
......@@ -1546,6 +1551,8 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
sock_release(sock);
else
sockfd_put(sock);
write_unlock(&sk->sk_callback_lock);
err:
return ret;
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册