Piteball/android_kernel_samsung_msm8976
1
1
Fork 0
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git synced 2024-09-21 03:43:03 +00:00
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/drivers/net
History
Eric Biggers 9d142346b2 ppp: remove the PPPIOCDETACH ioctl 
commit af8d3c7c001ae7df1ed2b2715f058113efc86187 upstream.

The PPPIOCDETACH ioctl effectively tries to "close" the given ppp file
before f_count has reached 0, which is fundamentally a bad idea.  It
does check 'f_count < 2', which excludes concurrent operations on the
file since they would only be possible with a shared fd table, in which
case each fdget() would take a file reference.  However, it fails to
account for the fact that even with 'f_count == 1' the file can still be
linked into epoll instances.  As reported by syzbot, this can trivially
be used to cause a use-after-free.

Yet, the only known user of PPPIOCDETACH is pppd versions older than
ppp-2.4.2, which was released almost 15 years ago (November 2003).
Also, PPPIOCDETACH apparently stopped working reliably at around the
same time, when the f_count check was added to the kernel, e.g. see
https://lkml.org/lkml/2002/12/31/83.  Also, the current 'f_count < 2'
check makes PPPIOCDETACH only work in single-threaded applications; it
always fails if called from a multithreaded application.

All pppd versions released in the last 15 years just close() the file
descriptor instead.

Therefore, instead of hacking around this bug by exporting epoll
internals to modules, and probably missing other related bugs, just
remove the PPPIOCDETACH ioctl and see if anyone actually notices.  Leave
a stub in place that prints a one-time warning and returns EINVAL.

Reported-by: syzbot+16363c99d4134717c05b@syzkaller.appspotmail.com
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Paul Mackerras <paulus@ozlabs.org>
Reviewed-by: Guillaume Nault <g.nault@alphalink.fr>
Tested-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
2019-07-27 21:52:16 +02:00
..
appletalk
arcnet
bonding
caif
can
cris
danipc
dsa
ethernet
fddi
hamradio
hippi
hyperv
ieee802154
irda
phy
plip
ppp ppp: remove the PPPIOCDETACH ioctl 2019-07-27 21:52:16 +02:00
slip
team
usb
vmxnet3
wan
wimax
wireless qcacld-2.0: Fix buffer overwrite in csrRoamCheckForLinkStatusChange 2019-07-27 21:52:08 +02:00
xen-netback
dummy.c
eql.c
ifb.c
Kconfig
LICENSE.SRC
loopback.c
macvlan.c
macvtap.c
Makefile
mdio.c
mii.c
netconsole.c
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tun.c
veth.c
virtio_net.c
vxlan.c
xen-netfront.c