Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-12-01 08:31:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
f9c70bdc27
linux/net/bluetooth
History
Lihong Kou f9c70bdc27 Bluetooth: add a mutex lock to avoid UAF in do_enale_set 
In the case we set or free the global value listen_chan in
different threads, we can encounter the UAF problems because
the method is not protected by any lock, add one to avoid
this bug.

BUG: KASAN: use-after-free in l2cap_chan_close+0x48/0x990
net/bluetooth/l2cap_core.c:730
Read of size 8 at addr ffff888096950000 by task kworker/1:102/2868

CPU: 1 PID: 2868 Comm: kworker/1:102 Not tainted 5.5.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 01/01/2011
Workqueue: events do_enable_set
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fb/0x318 lib/dump_stack.c:118
 print_address_description+0x74/0x5c0 mm/kasan/report.c:374
 __kasan_report+0x149/0x1c0 mm/kasan/report.c:506
 kasan_report+0x26/0x50 mm/kasan/common.c:641
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
 l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730
 do_enable_set+0x660/0x900 net/bluetooth/6lowpan.c:1074
 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 2870:
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
 kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3551
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 l2cap_chan_create+0x50/0x320 net/bluetooth/l2cap_core.c:446
 chan_create net/bluetooth/6lowpan.c:640 [inline]
 bt_6lowpan_listen net/bluetooth/6lowpan.c:959 [inline]
 do_enable_set+0x6a4/0x900 net/bluetooth/6lowpan.c:1078
 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 2870:
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x10d/0x220 mm/slab.c:3757
 l2cap_chan_destroy net/bluetooth/l2cap_core.c:484 [inline]
 kref_put include/linux/kref.h:65 [inline]
 l2cap_chan_put+0x170/0x190 net/bluetooth/l2cap_core.c:498
 do_enable_set+0x66c/0x900 net/bluetooth/6lowpan.c:1075
 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff888096950000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 0 bytes inside of
 2048-byte region [ffff888096950000, ffff888096950800)
The buggy address belongs to the page:
page:ffffea00025a5400 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00027d1548 ffffea0002397808 ffff8880aa400e00
raw: 0000000000000000 ffff888096950000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809694ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88809694ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888096950000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888096950080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888096950100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Reported-by: syzbot+96414aa0033c363d8458@syzkaller.appspotmail.com
Signed-off-by: Lihong Kou <koulihong@huawei.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2020-06-23 14:30:07 +02:00
..
bnep Bluetooth: Replace zero-length array with flexible-array member 2020-02-28 08:30:02 +01:00
cmtp treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
hidp Bluetooth: optimize barrier usage for Rmw atomics 2020-01-29 19:50:44 +01:00
rfcomm Bluetooth: Acquire sk_lock.slock without disabling interrupts 2020-05-29 13:48:46 +02:00
6lowpan.c Bluetooth: add a mutex lock to avoid UAF in do_enale_set 2020-06-23 14:30:07 +02:00
a2mp.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 284 2019-06-05 17:36:37 +02:00
a2mp.h Bluetooth: Replace zero-length array with flexible-array member 2020-02-28 08:30:02 +01:00
af_bluetooth.c Bluetooth: Add support for BT_PKT_STATUS CMSG data for SCO connections 2020-06-12 15:08:49 +02:00
amp.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 284 2019-06-05 17:36:37 +02:00
amp.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 284 2019-06-05 17:36:37 +02:00
ecdh_helper.c Bluetooth: let the crypto subsystem generate the ecc privkey 2017-10-06 20:35:47 +02:00
ecdh_helper.h Bluetooth: let the crypto subsystem generate the ecc privkey 2017-10-06 20:35:47 +02:00
hci_conn.c Bluetooth: Disconnect if E0 is used for Level 4 2020-06-22 18:56:10 +02:00
hci_core.c Bluetooth: Update background scan and report device based on advertisement monitors 2020-06-18 13:12:08 +03:00
hci_debugfs.c Bluetooth: debugfs option to unset MITM flag 2020-04-07 18:32:21 +02:00
hci_debugfs.h Bluetooth: Provide option to enable/disable debugfs information 2015-02-15 18:54:13 +02:00
hci_event.c Bluetooth: Disconnect if E0 is used for Level 4 2020-06-22 18:56:10 +02:00
hci_request.c Bluetooth: use configured params for ext adv 2020-06-22 16:03:46 +02:00
hci_request.h Bluetooth: Handle PM_SUSPEND_PREPARE and PM_POST_SUSPEND 2020-03-11 18:00:48 +01:00
hci_sock.c Bluetooth: Use only 8 bits for the HCI CMSG state flags 2020-06-12 15:10:46 +02:00
hci_sysfs.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
Kconfig Bluetooth: Introduce debug feature when dynamic debug is disabled 2020-05-11 12:16:27 +02:00
l2cap_core.c Bluetooth: Terminate the link if pairing is cancelled 2020-06-18 13:12:12 +03:00
l2cap_sock.c Bluetooth: L2CAP: add support for waiting disconnection resp 2020-05-13 10:03:51 +02:00
leds.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
leds.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
lib.c Bluetooth: Introduce debug feature when dynamic debug is disabled 2020-05-11 12:16:27 +02:00
Makefile Bluetooth: implement read/set default system parameters mgmt 2020-06-12 21:41:07 +02:00
mgmt_config.c Bluetooth: mgmt: Use command complete on success for set system config 2020-06-18 13:12:15 +03:00
mgmt_config.h Bluetooth: mgmt: Add commands for runtime configuration 2020-06-18 13:11:03 +03:00
mgmt_util.c networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
mgmt_util.h Bluetooth: Add generic mgmt helper API 2015-03-17 18:03:08 +01:00
mgmt.c Bluetooth: Add hci_dev_lock to get/set device flags 2020-06-22 09:08:16 +02:00
msft.c Bluetooth: Add handler of MGMT_OP_READ_ADV_MONITOR_FEATURES 2020-06-18 13:11:21 +03:00
msft.h Bluetooth: Add handler of MGMT_OP_READ_ADV_MONITOR_FEATURES 2020-06-18 13:11:21 +03:00
sco.c Bluetooth: Add support for BT_PKT_STATUS CMSG data for SCO connections 2020-06-12 15:08:49 +02:00
selftest.c Bluetooth: Fix compiler warning with selftest duration calculation 2017-10-06 21:49:13 +03:00
selftest.h Bluetooth: Add support for self testing framework 2014-12-30 08:53:55 +02:00
smp.c Bluetooth: Fix for GAP/SEC/SEM/BI-10-C 2020-05-18 09:58:53 +02:00
smp.h Bluetooth: SMP: fix crash in unpairing 2018-09-26 12:39:32 +03:00