korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-30 07:34:12 +08:00
Code Issues Packages Projects Releases Wiki Activity
af8d3c7c00
linux/drivers/net
History
Eric Biggers af8d3c7c00 ppp: remove the PPPIOCDETACH ioctl 
The PPPIOCDETACH ioctl effectively tries to "close" the given ppp file
before f_count has reached 0, which is fundamentally a bad idea.  It
does check 'f_count < 2', which excludes concurrent operations on the
file since they would only be possible with a shared fd table, in which
case each fdget() would take a file reference.  However, it fails to
account for the fact that even with 'f_count == 1' the file can still be
linked into epoll instances.  As reported by syzbot, this can trivially
be used to cause a use-after-free.

Yet, the only known user of PPPIOCDETACH is pppd versions older than
ppp-2.4.2, which was released almost 15 years ago (November 2003).
Also, PPPIOCDETACH apparently stopped working reliably at around the
same time, when the f_count check was added to the kernel, e.g. see
https://lkml.org/lkml/2002/12/31/83.  Also, the current 'f_count < 2'
check makes PPPIOCDETACH only work in single-threaded applications; it
always fails if called from a multithreaded application.

All pppd versions released in the last 15 years just close() the file
descriptor instead.

Therefore, instead of hacking around this bug by exporting epoll
internals to modules, and probably missing other related bugs, just
remove the PPPIOCDETACH ioctl and see if anyone actually notices.  Leave
a stub in place that prints a one-time warning and returns EINVAL.

Reported-by: syzbot+16363c99d4134717c05b@syzkaller.appspotmail.com
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Paul Mackerras <paulus@ozlabs.org>
Reviewed-by: Guillaume Nault <g.nault@alphalink.fr>
Tested-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-05-24 22:55:07 -04:00
..
appletalk
arcnet
bonding bonding: send learning packets for vlans on slave 2018-05-11 11:50:41 -04:00
caif drivers/net: Use octal not symbolic permissions 2018-03-26 12:07:49 -04:00
can can: hi311x: Work around TX complete interrupt erratum 2018-05-10 18:25:30 +02:00
dsa net: dsa: bcm_sf2: Fix IPv6 rule half deletion 2018-05-16 14:11:22 -04:00
ethernet net/mlx5: IPSec, Fix a race between concurrent sandbox QP commands 2018-05-24 14:40:40 -07:00
fddi
fjes
hamradio drivers/net: Use octal not symbolic permissions 2018-03-26 12:07:49 -04:00
hippi
hyperv hv_netvsc: set master device 2018-05-10 17:36:20 -04:00
ieee802154 net: ieee802154: mcr20a: do not leak resources on error path 2018-04-23 20:56:23 +02:00
ipvlan ipvlan: call netdevice notifier when master mac address changed 2018-05-16 11:59:41 -04:00
netdevsim devlink: convert occ_get op to separate registration 2018-04-08 12:45:57 -04:00
phy net: phy: broadcom: Fix bcm_write_exp() 2018-05-23 15:27:01 -04:00
plip
ppp ppp: remove the PPPIOCDETACH ioctl 2018-05-24 22:55:07 -04:00
slip slip: Check if rstate is initialized before uncompressing 2018-04-11 10:33:46 -04:00
team team: fix netconsole setup over team 2018-04-24 09:36:21 -04:00
usb qmi_wwan: do not steal interfaces from class drivers 2018-05-03 11:25:03 -04:00
vmxnet3 vmxnet3: use DMA memory barriers where required 2018-05-14 22:43:57 -04:00
wan
wimax
wireless mac80211_hwsim: Fix radio dump for radio idx 0 2018-05-22 10:24:17 +02:00
xen-netback drivers/net: Use octal not symbolic permissions 2018-03-26 12:07:49 -04:00
dummy.c net: Do not take net_rwsem in __rtnl_link_unregister() 2018-03-31 22:24:58 -04:00
eql.c
geneve.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
gtp.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
ifb.c net: Do not take net_rwsem in __rtnl_link_unregister() 2018-03-31 22:24:58 -04:00
Kconfig netdevsim: Add simple FIB resource controller via devlink 2018-03-29 14:10:31 -04:00
LICENSE.SRC
loopback.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
macsec.c Revert "macsec: missing dev_put() on error in macsec_newlink()" 2018-04-16 10:01:12 -04:00
macvlan.c
macvtap.c
Makefile net: remove cris etrax ethernet driver 2018-03-26 15:56:24 +02:00
mdio.c
mii.c
netconsole.c
nlmon.c
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tap.c
thunderbolt.c
tun.c tuntap: correctly set SOCKWQ_ASYNC_NOSPACE 2018-05-23 14:32:12 -04:00
veth.c
virtio_net.c virtio-net: fix leaking page for gso packet during mergeable XDP 2018-05-23 13:36:19 -04:00
vrf.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-04-01 19:49:34 -04:00
vsockmon.c
vxlan.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
xen-netfront.c drivers/net: Use octal not symbolic permissions 2018-03-26 12:07:49 -04:00