Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp4689298imm; Fri, 18 May 2018 09:03:37 -0700 (PDT) X-Google-Smtp-Source: AB8JxZo2Nn404sSRbVTOtDlGOmmbTFJTpXNdlRbVdUmBNo8n8EHAI/d5Zd/fCyYlsClFIMLWavok X-Received: by 2002:a63:7c01:: with SMTP id x1-v6mr7948776pgc.286.1526659417407; Fri, 18 May 2018 09:03:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526659417; cv=none; d=google.com; s=arc-20160816; b=kLrVqPlpXQvsh0eSJkKGyuw9G/JkpL3k1VBt3fFZVPah7jKpX3vX/N8Q5l4/uZ/dPV eyAlJ/fZ50LeUCo6I3xUrkPhoe6HXKU70XW/3oxT13tAc5uEISavj/GlYJd7bPIHycqO iJz4QSbchHxHgXC2xtpFbXU9l02VTtVbijEM10jEtYmzNg3MJNrl+eWYiFWjwBVKChVV 6Qf/XdrZ7lYomzvUsV+4zC9GFIEQlYLpesxaR76Fr+C2ZoyOrRgsEg8iXovfl7JnB0zd jaOnCSfVSqAyn1FPQAWAz4dwiZ02pJ8ZJcwfVGFUSeSB4za0jZ7E7np19RE8rJ+lxZPY gwGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=3Sf5om+It61OYfbJ+NL3nS8DgL/8DTSNRVbHysqGnNE=; b=vy3tIp2MSLgVTzK/nJXPHKiAn1WD3kbfehGVcycabf1PUjd/g9Evm3PTef7ac4sOxu NqdDlSQctdiz61WjhtP2Nn/ap/4NkY1fUUlOHuf9BbOTEfWbdBuZdi7qDL6qnVDF+mcj ORyqiVdX/ImvZsOwkU9L05oS4PiN9sPnmxdbyUgM7lIFXAHy0DLA88SnNaNzgsNmp9kd +YsyE+p4rwrSH4mDiZn/DnmxluW/9mojoZBra8A9HqNhHeMHAInIhrmpOjJwYItL35UG O7mqFROpX13xm/l1x7ZlCwjeJXIMf32CeRq/k4NBISYNogzUDiZKpnAKSa75F+atK5yL iDlQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v80-v6si7963008pfa.173.2018.05.18.09.03.21; Fri, 18 May 2018 09:03:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752550AbeERQCc (ORCPT + 99 others); Fri, 18 May 2018 12:02:32 -0400 Received: from zimbra.alphalink.fr ([217.15.80.77]:56239 "EHLO zimbra.alphalink.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752503AbeERQC1 (ORCPT ); Fri, 18 May 2018 12:02:27 -0400 Received: from localhost (localhost [127.0.0.1]) by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id 485E62B52097; Fri, 18 May 2018 18:02:25 +0200 (CEST) Received: from zimbra.alphalink.fr ([127.0.0.1]) by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id 6Jri3PlUJwEE; Fri, 18 May 2018 18:02:24 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id ED4DB2B520B2; Fri, 18 May 2018 18:02:23 +0200 (CEST) X-Virus-Scanned: amavisd-new at mail-2-cbv2.admin.alphalink.fr Received: from zimbra.alphalink.fr ([127.0.0.1]) by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id RmLleXVTwnLz; Fri, 18 May 2018 18:02:23 +0200 (CEST) Received: from c-dev-0.admin.alphalink.fr (94-84-15-217.reverse.alphalink.fr [217.15.84.94]) by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id B622F2B52097; Fri, 18 May 2018 18:02:23 +0200 (CEST) Received: by c-dev-0.admin.alphalink.fr (Postfix, from userid 1000) id 8BAD16025E; Fri, 18 May 2018 18:02:23 +0200 (CEST) Date: Fri, 18 May 2018 18:02:23 +0200 From: Guillaume Nault To: Eric Biggers Cc: linux-ppp@vger.kernel.org, Paul Mackerras , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, syzbot , viro@zeniv.linux.org.uk Subject: Re: KASAN: use-after-free Read in remove_wait_queue (2) Message-ID: <20180518160223.GF1534@alphalink.fr> References: <20180514061155.GL677@sol.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180514061155.GL677@sol.localdomain> User-Agent: Mutt/1.9.5 (2018-04-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, May 13, 2018 at 11:11:55PM -0700, Eric Biggers wrote: > [+ppp list and maintainer] > > This is a bug in ppp_generic.c; it still happens on Linus' tree and it's easily > reproducible, see program below. The bug is that the PPPIOCDETACH ioctl doesn't > consider that the file can still be attached to epoll instances even when > ->f_count == 1. Right. What would it take to remove the file for the epoll instances? Sorry for the naive question, but I'm not familiar with VFS and didn't find a helper function we could call. > Also, the reproducer doesn't test this but I think ppp_poll(), > ppp_read(), and ppp_write() can all race with PPPIOCDETACH, causing > use-after-frees as well. I also believe so. ppp_release() resets ->private_data, and even though functions like ppp_read() test ->private_data before executing, there's no synchronisation mechanism to ensure that the update is visible before the unit or channel is destroyed. Is that the kind of race you had in mind? > Any chance that PPPIOCDETACH can simply be removed, > given that it's apparently been "deprecated" for 16 years? > Does anyone use it? The only users I'm aware of are pppd versions older than ppp-2.4.2 (released in November 2003). But even at that time, there were issues with PPPIOCDETACH as pppd didn't seem to react properly when this call failed. An Internet search on the "PPPIOCDETACH file->f_count=" kernel log string, or on the "Couldn't release PPP unit: Invalid argument" error message of pppd, returns several related bug reports. Originally, PPPIOCDETACH never failed, but testing ->f_count was later introduced to fix crashes when the file descriptor had been duplicated. It seems that this was motivated by polling issues too. Long story short, it looks like PPPIOCDETACH never has worked well and we have at least two more bugs to fix. Given how it has proven fragile, I wouldn't be surprised if there were even more lurking around. I'd say that it's probably safer to drop it than to add more workarounds and playing wack-a-mole with those bugs.