git.baikalelectronics.ru Git - kernel.git/commit

author	Hannes Frederic Sowa <hannes@stressinduktion.org>
	Fri, 22 Jan 2016 00:39:43 +0000 (01:39 +0100)
committer	David S. Miller <davem@davemloft.net>
	Mon, 25 Jan 2016 06:18:26 +0000 (22:18 -0800)
commit	78de8e13ad82c7b7efa1f1e1691a421f83c8f851
tree	87d702049504d914d40c61d91c89bcd5dd1cebf8	tree \| snapshot
parent	edaf9d364898775dd0f76fa6024bfde29e9201aa	commit \| diff

pptp: fix illegal memory access caused by multiple bind()s

Several times already this has been reported as kasan reports caused by
syzkaller and trinity and people always looked at RCU races, but it is
much more simple. :)

In case we bind a pptp socket multiple times, we simply add it to
the callid_sock list but don't remove the old binding. Thus the old
socket stays in the bucket with unused call_id indexes and doesn't get
cleaned up. This causes various forms of kasan reports which were hard
to pinpoint.

Simply don't allow multiple binds and correct error handling in
pptp_bind. Also keep sk_state bits in place in pptp_connect.

Fixes: 0a9c6f21ecb806 ("PPTP: PPP over IPv4 (Point-to-Point Tunneling Protocol)")
Cc: Dmitry Kozlov <xeb@mail.ru>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Dave Jones <davej@codemonkey.org.uk>
Reported-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>