From: Guillaume Nault <g.nault@alphalink.fr>
To: Eric Biggers <ebiggers3@gmail.com>
Cc: linux-ppp@vger.kernel.org, Paul Mackerras <paulus@samba.org>,
netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
Eric Biggers <ebiggers@google.com>
Subject: Re: [PATCH v2] ppp: remove the PPPIOCDETACH ioctl
Date: Thu, 24 May 2018 14:04:49 +0000 [thread overview]
Message-ID: <20180524140449.GA1389@alphalink.fr> (raw)
In-Reply-To: <20180523213738.146911-1-ebiggers3@gmail.com>
On Wed, May 23, 2018 at 02:37:38PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> The PPPIOCDETACH ioctl effectively tries to "close" the given ppp file
> before f_count has reached 0, which is fundamentally a bad idea. It
> does check 'f_count < 2', which excludes concurrent operations on the
> file since they would only be possible with a shared fd table, in which
> case each fdget() would take a file reference. However, it fails to
> account for the fact that even with 'f_count = 1' the file can still be
> linked into epoll instances. As reported by syzbot, this can trivially
> be used to cause a use-after-free.
>
> Yet, the only known user of PPPIOCDETACH is pppd versions older than
> ppp-2.4.2, which was released almost 15 years ago (November 2003).
> Also, PPPIOCDETACH apparently stopped working reliably at around the
> same time, when the f_count check was added to the kernel, e.g. see
> https://lkml.org/lkml/2002/12/31/83. Also, the current 'f_count < 2'
> check makes PPPIOCDETACH only work in single-threaded applications; it
> always fails if called from a multithreaded application.
>
> All pppd versions released in the last 15 years just close() the file
> descriptor instead.
>
> Therefore, instead of hacking around this bug by exporting epoll
> internals to modules, and probably missing other related bugs, just
> remove the PPPIOCDETACH ioctl and see if anyone actually notices. Leave
> a stub in place that prints a one-time warning and returns EINVAL.
>
> Reported-by: syzbot+16363c99d4134717c05b@syzkaller.appspotmail.com
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>
> v2: leave a stub in place, rather than removing the ioctl completely.
>
Thanks a lot for your help on this matter.
BTW, netdev has its own rules wrt. stable backports. You didn't need to
CC: stable@. David handles -stable submissions himself.
Using a 'PATCH net' subject prefix would have made it clear that this
patch was fixing some released code and should be considered for -stable
backport.
Reviewed-by: Guillaume Nault <g.nault@alphalink.fr>
Tested-by: Guillaume Nault <g.nault@alphalink.fr>
WARNING: multiple messages have this Message-ID (diff)
From: Guillaume Nault <g.nault@alphalink.fr>
To: Eric Biggers <ebiggers3@gmail.com>
Cc: linux-ppp@vger.kernel.org, Paul Mackerras <paulus@samba.org>,
netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
Eric Biggers <ebiggers@google.com>
Subject: Re: [PATCH v2] ppp: remove the PPPIOCDETACH ioctl
Date: Thu, 24 May 2018 16:04:49 +0200 [thread overview]
Message-ID: <20180524140449.GA1389@alphalink.fr> (raw)
In-Reply-To: <20180523213738.146911-1-ebiggers3@gmail.com>
On Wed, May 23, 2018 at 02:37:38PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> The PPPIOCDETACH ioctl effectively tries to "close" the given ppp file
> before f_count has reached 0, which is fundamentally a bad idea. It
> does check 'f_count < 2', which excludes concurrent operations on the
> file since they would only be possible with a shared fd table, in which
> case each fdget() would take a file reference. However, it fails to
> account for the fact that even with 'f_count == 1' the file can still be
> linked into epoll instances. As reported by syzbot, this can trivially
> be used to cause a use-after-free.
>
> Yet, the only known user of PPPIOCDETACH is pppd versions older than
> ppp-2.4.2, which was released almost 15 years ago (November 2003).
> Also, PPPIOCDETACH apparently stopped working reliably at around the
> same time, when the f_count check was added to the kernel, e.g. see
> https://lkml.org/lkml/2002/12/31/83. Also, the current 'f_count < 2'
> check makes PPPIOCDETACH only work in single-threaded applications; it
> always fails if called from a multithreaded application.
>
> All pppd versions released in the last 15 years just close() the file
> descriptor instead.
>
> Therefore, instead of hacking around this bug by exporting epoll
> internals to modules, and probably missing other related bugs, just
> remove the PPPIOCDETACH ioctl and see if anyone actually notices. Leave
> a stub in place that prints a one-time warning and returns EINVAL.
>
> Reported-by: syzbot+16363c99d4134717c05b@syzkaller.appspotmail.com
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>
> v2: leave a stub in place, rather than removing the ioctl completely.
>
Thanks a lot for your help on this matter.
BTW, netdev has its own rules wrt. stable backports. You didn't need to
CC: stable@. David handles -stable submissions himself.
Using a 'PATCH net' subject prefix would have made it clear that this
patch was fixing some released code and should be considered for -stable
backport.
Reviewed-by: Guillaume Nault <g.nault@alphalink.fr>
Tested-by: Guillaume Nault <g.nault@alphalink.fr>
next prev parent reply other threads:[~2018-05-24 14:04 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-28 16:59 KASAN: use-after-free Read in remove_wait_queue (2) syzbot
2018-05-14 6:11 ` Eric Biggers
2018-05-14 6:11 ` Eric Biggers
2018-05-18 16:02 ` Guillaume Nault
2018-05-18 16:02 ` Guillaume Nault
2018-05-23 3:29 ` Eric Biggers
2018-05-23 3:29 ` Eric Biggers
2018-05-23 3:59 ` [PATCH] ppp: remove the PPPIOCDETACH ioctl Eric Biggers
2018-05-23 3:59 ` Eric Biggers
2018-05-23 13:57 ` Guillaume Nault
2018-05-23 13:57 ` Guillaume Nault
2018-05-23 15:56 ` David Miller
2018-05-23 15:56 ` David Miller
2018-05-23 21:17 ` Eric Biggers
2018-05-23 21:17 ` Eric Biggers
2018-05-23 21:37 ` [PATCH v2] " Eric Biggers
2018-05-23 21:37 ` Eric Biggers
2018-05-23 23:04 ` Paul Mackerras
2018-05-23 23:04 ` Paul Mackerras
2018-05-24 14:04 ` Guillaume Nault [this message]
2018-05-24 14:04 ` Guillaume Nault
2018-05-25 2:55 ` David Miller
2018-05-25 2:55 ` David Miller
2018-06-06 9:01 ` Walter Harms
2018-06-06 9:01 ` Walter Harms
2018-05-23 13:26 ` KASAN: use-after-free Read in remove_wait_queue (2) Guillaume Nault
2018-05-23 13:26 ` Guillaume Nault
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180524140449.GA1389@alphalink.fr \
--to=g.nault@alphalink.fr \
--cc=ebiggers3@gmail.com \
--cc=ebiggers@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-ppp@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=paulus@samba.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.