Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3324417imu;
        Sun, 11 Nov 2018 12:23:34 -0800 (PST)
X-Google-Smtp-Source: AJdET5eidAKSBHodQIy25PNfLcMd8UcKqugxacctq5d8wNBbGER/LW3U+CNnQbGrCaIwAQlXfUOn
X-Received: by 2002:a17:902:4827:: with SMTP id s36-v6mr16764124pld.226.1541967813926;
        Sun, 11 Nov 2018 12:23:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1541967813; cv=none;
        d=google.com; s=arc-20160816;
        b=but212kqDY1CRsrSNzJPiF714QYCpLUA1lZLaiSobs+Oo+E5nAXNXA4voPtald+SZs
         CR2KhKiipV3pQk3F2auWcOaJ1lBJ40QWf4NaH2pGvn8No6va4a9SvmZsQg4imSF2IMtO
         4rDZVQKe/ezjKElICrx3Cc0KN2sBhZhLSgplo7/CkrAxJLhPTubsQt2lGSxgLy6NI1pj
         JoYPbQjHyUo6mL5qokAfuZsrC+LIDm3OgH+lrphMEpDhV2eIl/5ZRTJV27bG2m3C6whg
         lQ1G0wfrjM/YPHazH1P08AuHwQpFMI5DiKkjwr0JXTCJOQ1//9DNtIJGYboQp1An37xd
         VsGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition;
        bh=OxREns+z40b4Uc8MXiWWv2IG7p40Zg2/ORQkylQ9mlI=;
        b=ZFCc1UFZDdvq4lZrGis930mwKgnft7LAlPzhcxnItNYPpE1xIyhuqpNad+A13ZlXfx
         q6C80n5UYWn9DQQBb8mtjJSRBD86JsxKvFsZXvC98SRWPBXGdxtb99r0Wl0TSh1BrHIN
         owvD8867LBukYbcI9itztEd59mk43t2ZXI0O3UvuAOyC1bN58aTYBJ30pa7qhH2OnRgO
         3FtxSTS0PzwzL3nowQDsJVo5ViVOHPFQdXerN3OiYhm39b5OGxol8XzN5Io/NZq8rs1x
         GkliQ98g17YlH2yQQZHCCJcmSc69sGGUHiWu5bWZkCeSx2zf+lVZEjcbvcXIXU2FW+8W
         Uwug==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v3si14770706pgh.305.2018.11.11.12.23.18;
        Sun, 11 Nov 2018 12:23:33 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731510AbeKLGJi (ORCPT <rfc822;hubert.jasudowicz@gmail.com>
        + 99 others); Mon, 12 Nov 2018 01:09:38 -0500
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:53440 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726652AbeKLGJh (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Nov 2018 01:09:37 -0500
Received: from [192.168.4.242] (helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.89)
        (envelope-from <ben@decadent.org.uk>)
        id 1gLvt1-0000oF-Ic; Sun, 11 Nov 2018 19:59:11 +0000
Received: from ben by deadeye with local (Exim 4.91)
        (envelope-from <ben@decadent.org.uk>)
        id 1gLvsS-0001YA-9Y; Sun, 11 Nov 2018 19:58:36 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org,
        "Guillaume Nault" <g.nault@alphalink.fr>,
        "David S. Miller" <davem@davemloft.net>
Date:   Sun, 11 Nov 2018 19:49:05 +0000
Message-ID: <lsq.1541965745.242794684@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
Subject: [PATCH 3.16 140/366] l2tp: prevent pppol2tp_connect() from
 creating kernel sockets
In-Reply-To: <lsq.1541965744.387173642@decadent.org.uk>
X-SA-Exim-Connect-IP: 192.168.4.242
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit 3e1bc8bf974e2d4e7beb842a4c801c2542eff3bd upstream.

If 'fd' is negative, l2tp_tunnel_create() creates a tunnel socket using
the configuration passed in 'tcfg'. Currently, pppol2tp_connect() sets
the relevant fields to zero, tricking l2tp_tunnel_create() into setting
up an unusable kernel socket.

We can't set 'tcfg' with the required fields because there's no way to
get them from the current connect() parameters. So let's restrict
kernel sockets creation to the netlink API, which is the original use
case.

Fixes: 789a4a2c61d8 ("l2tp: Add support for static unmanaged L2TPv3 tunnels")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_ppp.c | 9 +++++++++
 1 file changed, 9 insertions(+)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -723,6 +723,15 @@ static int pppol2tp_connect(struct socke
 				.encap = L2TP_ENCAPTYPE_UDP,
 				.debug = 0,
 			};
+
+			/* Prevent l2tp_tunnel_register() from trying to set up
+			 * a kernel socket.
+			 */
+			if (fd < 0) {
+				error = -EBADF;
+				goto end;
+			}
+
 			error = l2tp_tunnel_create(sock_net(sk), fd, ver, tunnel_id, peer_tunnel_id, &tcfg, &tunnel);
 			if (error < 0)
 				goto end;