linux/net
Gui-Dong Han da9065caa5 Bluetooth: Fix atomicity violation in {min,max}_key_size_set
In min_key_size_set():
    if (val > hdev->le_max_key_size || val < SMP_MIN_ENC_KEY_SIZE)
        return -EINVAL;
    hci_dev_lock(hdev);
    hdev->le_min_key_size = val;
    hci_dev_unlock(hdev);

In max_key_size_set():
    if (val > SMP_MAX_ENC_KEY_SIZE || val < hdev->le_min_key_size)
        return -EINVAL;
    hci_dev_lock(hdev);
    hdev->le_max_key_size = val;
    hci_dev_unlock(hdev);

The atomicity violation occurs due to concurrent execution of set_min and
set_max funcs.Consider a scenario where setmin writes a new, valid 'min'
value, and concurrently, setmax writes a value that is greater than the
old 'min' but smaller than the new 'min'. In this case, setmax might check
against the old 'min' value (before acquiring the lock) but write its
value after the 'min' has been updated by setmin. This leads to a
situation where the 'max' value ends up being smaller than the 'min'
value, which is an inconsistency.

This possible bug is found by an experimental static analysis tool
developed by our team, BassCheck[1]. This tool analyzes the locking APIs
to extract function pairs that can be concurrently executed, and then
analyzes the instructions in the paired functions to identify possible
concurrency bugs including data races and atomicity violations. The above
possible bug is reported when our tool analyzes the source code of
Linux 5.17.

To resolve this issue, it is suggested to encompass the validity checks
within the locked sections in both set_min and set_max funcs. The
modification ensures that the validation of 'val' against the
current min/max values is atomic, thus maintaining the integrity of the
settings. With this patch applied, our tool no longer reports the bug,
with the kernel configuration allyesconfig for x86_64. Due to the lack of
associated hardware, we cannot test the patch in runtime testing, and just
verify it according to the code logic.

[1] https://sites.google.com/view/basscheck/

Fixes: 18f81241b7 ("Bluetooth: Move {min,max}_key_size debugfs ...")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <2045gemini@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2023-12-22 13:00:36 -05:00
..
6lowpan
9p 9p/net: fix possible memory leak in p9_check_errors() 2023-10-27 12:44:13 +09:00
802 net: fill in MODULE_DESCRIPTION()s under net/802* 2023-10-28 11:29:28 +01:00
8021q Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-12-21 22:17:23 +01:00
appletalk appletalk: Fix Use-After-Free in atalk_ioctl 2023-12-14 12:02:45 +01:00
atm atm: Fix Use-After-Free in do_vcc_ioctl 2023-12-12 13:14:08 +01:00
ax25 net: implement lockless SO_PRIORITY 2023-10-01 19:09:54 +01:00
batman-adv batman-adv: Switch to linux/array_size.h 2023-11-14 08:16:34 +01:00
bluetooth Bluetooth: Fix atomicity violation in {min,max}_key_size_set 2023-12-22 13:00:36 -05:00
bpf bpf: Fix dtor CFI 2023-12-15 16:25:55 -08:00
bpfilter
bridge bridge: mdb: Add MDB bulk deletion support 2023-12-20 11:27:20 +00:00
caif
can Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-12 17:07:34 -07:00
ceph This update includes the following changes: 2023-11-02 16:15:30 -10:00
core Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-12-21 22:17:23 +01:00
dcb net: dcb: choose correct policy to parse DCB_ATTR_BCN 2023-08-01 21:07:46 -07:00
dccp ipv6: annotate data-races around np->mcast_oif 2023-12-11 10:59:17 +00:00
devlink devlink: extend multicast filtering by port index 2023-12-19 15:31:40 +01:00
dns_resolver net: dns_resolver: the module is called dns_resolver, not dnsresolver 2023-12-12 12:14:19 +01:00
dsa net: dsa: tag_rtl4_a: Use existing ETH_P_REALTEK constant 2023-11-14 19:45:35 -08:00
ethernet
ethtool net: ethtool: add support for symmetric-xor RSS hash 2023-12-13 22:07:16 -08:00
handshake Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-26 13:46:28 -07:00
hsr net: hsr: Add support for MC filtering at the slave device 2023-11-22 10:51:32 +00:00
ieee802154 sysctl-6.6-rc1 2023-08-29 17:39:15 -07:00
ife net: sched: ife: fix potential use-after-free 2023-12-15 10:50:18 +00:00
ipv4 Revert BPF token-related functionality 2023-12-19 08:23:03 -08:00
ipv6 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-12-21 22:17:23 +01:00
iucv s390: use control register bit defines 2023-09-19 13:26:57 +02:00
kcm net: kcm: fill in MODULE_DESCRIPTION() 2023-11-08 18:17:44 -08:00
key Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-18 12:44:56 -07:00
l2tp ipv6: annotate data-races around np->ucast_oif 2023-12-11 10:59:17 +00:00
l3mdev
lapb
llc llc: verify mac len before reading mac header 2023-11-01 22:21:32 -07:00
mac80211 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-12-21 22:17:23 +01:00
mac802154
mctp mctp: perform route lookups under a RCU read-side lock 2023-10-10 19:43:22 -07:00
mpls networking: Update to register_net_sysctl_sz 2023-08-15 15:26:18 -07:00
mptcp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-12-21 22:17:23 +01:00
ncsi net/ncsi: Add NC-SI 1.2 Get MC MAC Address command 2023-11-18 15:00:51 +00:00
netfilter Revert BPF token-related functionality 2023-12-19 08:23:03 -08:00
netlabel netlabel: Remove unused declaration netlbl_cipsov4_doi_free() 2023-08-02 12:28:22 -07:00
netlink netlink: introduce typedef for filter function 2023-12-19 15:31:40 +01:00
netrom net: implement lockless SO_PRIORITY 2023-10-01 19:09:54 +01:00
nfc nfc: nci: fix possible NULL pointer dereference in send_acknowledge() 2023-10-16 17:34:53 -07:00
nsh
openvswitch net/sched: act_ct: Always fill offloading tuple iifidx 2023-11-08 17:47:08 -08:00
packet Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-12-07 17:53:17 -08:00
phonet
psample psample: Require 'CAP_NET_ADMIN' when joining "packets" group 2023-12-07 09:54:02 -08:00
qrtr
rds ipv6: annotate data-races around np->mcast_oif 2023-12-11 10:59:17 +00:00
rfkill Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-12-21 22:17:23 +01:00
rose net/rose: fix races in rose_kill_by_device() 2023-12-15 11:59:53 +00:00
rxrpc rxrpc: Defer the response to a PING ACK until we've parsed it 2023-11-17 02:50:33 +00:00
sched net: sched: Add initial TC error skb drop reasons 2023-12-20 11:50:13 +00:00
sctp sctp: support MSG_ERRQUEUE flag in recvmsg() 2023-12-13 18:30:24 -08:00
smc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-12-07 17:53:17 -08:00
strparser
sunrpc nfsd-6.7 fixes: 2023-12-20 11:16:50 -08:00
switchdev net: switchdev: Add a helper to replay objects on a bridge port 2023-07-21 08:54:03 +01:00
tipc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-11-23 12:20:58 -08:00
tls net: tls, update curr on splice as well 2023-12-07 09:52:28 -08:00
unix bpf, sockmap: af_unix stream sockets need to hold ref for pair sock 2023-11-30 00:25:16 +01:00
vmw_vsock virtio/vsock: send credit update during setting SO_RCVLOWAT 2023-12-15 10:37:35 +00:00
wireless Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-12-21 22:17:23 +01:00
x25 net: implement lockless SO_PRIORITY 2023-10-01 19:09:54 +01:00
xdp netdev 2023-12-18 16:46:08 -08:00
xfrm bpf: xfrm: Add bpf_xdp_get_xfrm_state() kfunc 2023-12-14 17:12:49 -08:00
compat.c
devres.c
Kconfig net: add skb_segment kunit test 2023-10-11 10:39:01 +01:00
Kconfig.debug
Makefile
socket.c bpf: Add __bpf_hook_{start,end} macros 2023-11-01 22:33:53 -07:00
sysctl_net.c sysctl: Add size to register_net_sysctl function 2023-08-15 15:26:17 -07:00