Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp2960199imm; Thu, 24 May 2018 19:57:34 -0700 (PDT) X-Google-Smtp-Source: AB8JxZosk7MsfxWNo8ZeESeyhuQ5ONzuZMa3D3hMKHUksZ/6GuZ8hKlh4xl1e1ct2/RVU8GlcQt/ X-Received: by 2002:a17:902:683:: with SMTP id 3-v6mr634501plh.291.1527217053958; Thu, 24 May 2018 19:57:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527217053; cv=none; d=google.com; s=arc-20160816; b=O7x32SwXHub5YuUyz7Ld9t2vaMCuuhRrGkJMWEf4m+1xGYLGdFsySmc++MVc6n/j24 +HWNUv/ZKzz4uDXWiyDU4Najz9NG/L4Cp04bATASSQZeu83o/kjAQ8MGWSc2EgMg+QKT sY9OzSBLd0EHc+D3Xr7W3FqwewYiL1BujAK9vIQi+8BRjrQS28w28ZzEPCJW+Oopz4KA 70dIYRUteUkDZs8Jq4Rg2wGMwceVt8nCXCWnW2m0LxwaKHybr1OVtK3VLfBMrWKrXsiW c0UjjB0xhJayes99wa5h0jH8mNY+1QrrARCrX5VCZjOfSFEYw8LXX0BAB/YFAq2uk12r hE0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date :arc-authentication-results; bh=jZkwDbyupVkfye4Ua2KSTIa6/7VrXCKFRQs0A5+P8wI=; b=FQ4816d+cLQdu1SjSZyxZuLhg8ugE0IIW79DlvlYffrNmOnCWwdubv1mxfsyKIrSh/ Kjk24fUYFW+/O/dGOK0rPiE1JHmUWyV1Ra9fKclpgZNKhtBY0OjouIof3PTLwlu2npUP GVcXFbimPENhrsfB4UgHq2tdXBfg1aU6x0cHGuznL7L0570Rl/vNVJI+lSCJund+sYrS XaXXC+MsiYlWkjdo9E+T1HcapoZfl7Z0BqCwV2TJqDHfV23Qk5xKuqRlBkaK4E7Td6om iRBzsZ75A7ENVqNleDJyLQ/lWtJPk8r1E+DswYnYWMgSdPryR8VevJg4kMLfoJ977N27 rZrw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d12-v6si17495662pgn.563.2018.05.24.19.57.19; Thu, 24 May 2018 19:57:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755316AbeEYC4o (ORCPT + 99 others); Thu, 24 May 2018 22:56:44 -0400 Received: from shards.monkeyblade.net ([184.105.139.130]:54612 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754269AbeEYCza (ORCPT ); Thu, 24 May 2018 22:55:30 -0400 Received: from localhost (pool-173-77-163-54.nycmny.fios.verizon.net [173.77.163.54]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id BA52E108E5955; Thu, 24 May 2018 19:55:28 -0700 (PDT) Date: Thu, 24 May 2018 22:55:25 -0400 (EDT) Message-Id: <20180524.225525.2081887066395831022.davem@davemloft.net> To: ebiggers3@gmail.com Cc: linux-ppp@vger.kernel.org, paulus@samba.org, netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, g.nault@alphalink.fr, syzkaller-bugs@googlegroups.com, ebiggers@google.com Subject: Re: [PATCH v2] ppp: remove the PPPIOCDETACH ioctl From: David Miller In-Reply-To: <20180523213738.146911-1-ebiggers3@gmail.com> References: <20180523035952.25768-1-ebiggers3@gmail.com> <20180523213738.146911-1-ebiggers3@gmail.com> X-Mailer: Mew version 6.7 on Emacs 25.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Thu, 24 May 2018 19:55:29 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers Date: Wed, 23 May 2018 14:37:38 -0700 > From: Eric Biggers > > The PPPIOCDETACH ioctl effectively tries to "close" the given ppp file > before f_count has reached 0, which is fundamentally a bad idea. It > does check 'f_count < 2', which excludes concurrent operations on the > file since they would only be possible with a shared fd table, in which > case each fdget() would take a file reference. However, it fails to > account for the fact that even with 'f_count == 1' the file can still be > linked into epoll instances. As reported by syzbot, this can trivially > be used to cause a use-after-free. > > Yet, the only known user of PPPIOCDETACH is pppd versions older than > ppp-2.4.2, which was released almost 15 years ago (November 2003). > Also, PPPIOCDETACH apparently stopped working reliably at around the > same time, when the f_count check was added to the kernel, e.g. see > https://lkml.org/lkml/2002/12/31/83. Also, the current 'f_count < 2' > check makes PPPIOCDETACH only work in single-threaded applications; it > always fails if called from a multithreaded application. > > All pppd versions released in the last 15 years just close() the file > descriptor instead. > > Therefore, instead of hacking around this bug by exporting epoll > internals to modules, and probably missing other related bugs, just > remove the PPPIOCDETACH ioctl and see if anyone actually notices. Leave > a stub in place that prints a one-time warning and returns EINVAL. > > Reported-by: syzbot+16363c99d4134717c05b@syzkaller.appspotmail.com > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Eric Biggers Applied and queued up for -stable.