• Eric Biggers's avatar
    ppp: remove the PPPIOCDETACH ioctl · af8d3c7c
    Eric Biggers authored
    The PPPIOCDETACH ioctl effectively tries to "close" the given ppp file
    before f_count has reached 0, which is fundamentally a bad idea.  It
    does check 'f_count < 2', which excludes concurrent operations on the
    file since they would only be possible with a shared fd table, in which
    case each fdget() would take a file reference.  However, it fails to
    account for the fact that even with 'f_count == 1' the file can still be
    linked into epoll instances.  As reported by syzbot, this can trivially
    be used to cause a use-after-free.
    
    Yet, the only known user of PPPIOCDETACH is pppd versions older than
    ppp-2.4.2, which was released almost 15 years ago (November 2003).
    Also, PPPIOCDETACH apparently stopped working reliably at around the
    same time, when the f_count check was added to the kernel, e.g. see
    https://lkml.org/lkml/2002/12/31/83.  Also, the current 'f_count < 2'
    check makes PPPIOCDETACH only work in single-threaded applications; it
    always fails if called from a multithreaded application.
    
    All pppd versions released in the last 15 years just close() the file
    descriptor instead.
    
    Therefore, instead of hacking around this bug by exporting epoll
    internals to modules, and probably missing other related bugs, just
    remove the PPPIOCDETACH ioctl and see if anyone actually notices.  Leave
    a stub in place that prints a one-time warning and returns EINVAL.
    
    Reported-by: syzbot+16363c99d4134717c05b@syzkaller.appspotmail.com
    Fixes: 1da177e4
    
     ("Linux-2.6.12-rc2")
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Acked-by: default avatarPaul Mackerras <paulus@ozlabs.org>
    Reviewed-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
    Tested-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    af8d3c7c