www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Hannes Frederic Sowa <hannes@stressinduktion.org>
	Fri, 22 Jan 2016 00:39:43 +0000 (01:39 +0100)
committer	Chuck Anderson <chuck.anderson@oracle.com>
	Thu, 26 May 2016 22:45:14 +0000 (15:45 -0700)
commit	362bc3ee53730d30eadcc6868829dd9b8d85e234
tree	ef3362f499821fe9bb02a8d5d6a54c141493fa71	tree
parent	03861fe86a3d11dea885be98a2530648558fb968	commit \| diff

pptp: fix illegal memory access caused by multiple bind()s

Orabug: 23330932

[ Upstream commit 9a368aff9cb370298fa02feeffa861f2db497c18 ]

Several times already this has been reported as kasan reports caused by
syzkaller and trinity and people always looked at RCU races, but it is
much more simple. :)

In case we bind a pptp socket multiple times, we simply add it to
the callid_sock list but don't remove the old binding. Thus the old
socket stays in the bucket with unused call_id indexes and doesn't get
cleaned up. This causes various forms of kasan reports which were hard
to pinpoint.

Simply don't allow multiple binds and correct error handling in
pptp_bind. Also keep sk_state bits in place in pptp_connect.

Fixes: 00959ade36acad ("PPTP: PPP over IPv4 (Point-to-Point Tunneling Protocol)")
Cc: Dmitry Kozlov <xeb@mail.ru>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Dave Jones <davej@codemonkey.org.uk>
Reported-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
(cherry picked from commit ce28c3ced53aa6385eafeabaeb9c70eca9e3b1ba)

Signed-off-by: Dan Duval <dan.duval@oracle.com>