| Message ID | 20231211144037.2039209-1-hedonistsmith@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/1] Bluetooth: Fix UAF in __sco_sock_close | expand |
| Context | Check | Description |
|---|---|---|
| tedd_an/pre-ci_am | success | Success |
| tedd_an/CheckPatch | warning | WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?) #92: atomic_dec_and_test ./include/linux/atomic/atomic-instrumented.h:1375 [inline] total: 0 errors, 1 warnings, 0 checks, 21 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/src/13487356.patch has style problems, please review. NOTE: Ignored message types: UNKNOWN_COMMIT_ID NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS. |
| tedd_an/GitLint | fail | WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 10: B1 Line exceeds max length (87>80): "BUG: KASAN: slab-use-after-free in __sco_sock_close+0x2d7/0x6b0 net/bluetooth/sco.c:444" 39: B1 Line exceeds max length (199>80): "Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 d3 eb 02 00 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 21 ec 02 00 8b 44" 102: B1 Line exceeds max length (90>80): "page:ffffea0000711e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c478" 110: B1 Line exceeds max length (199>80): "page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 6803836749, free_ts 0" |
| tedd_an/SubjectPrefix | success | Gitlint PASS |
| tedd_an/BuildKernel | success | BuildKernel PASS |
| tedd_an/CheckAllWarning | success | CheckAllWarning PASS |
| tedd_an/CheckSparse | warning | CheckSparse WARNING net/bluetooth/sco.c: note: in included file:./include/net/bluetooth/hci_core.h:150:35: warning: array of flexible structures |
| tedd_an/CheckSmatch | warning | CheckSparse WARNING net/bluetooth/sco.c: note: in included file:./include/net/bluetooth/hci_core.h:150:35: warning: array of flexible structures |
| tedd_an/BuildKernel32 | success | BuildKernel32 PASS |
| tedd_an/TestRunnerSetup | success | TestRunnerSetup PASS |
| tedd_an/TestRunner_l2cap-tester | success | TestRunner PASS |
| tedd_an/TestRunner_iso-tester | success | TestRunner PASS |
| tedd_an/TestRunner_bnep-tester | success | TestRunner PASS |
| tedd_an/TestRunner_mgmt-tester | success | TestRunner PASS |
| tedd_an/TestRunner_rfcomm-tester | success | TestRunner PASS |
| tedd_an/TestRunner_sco-tester | success | TestRunner PASS |
| tedd_an/TestRunner_ioctl-tester | success | TestRunner PASS |
| tedd_an/TestRunner_mesh-tester | success | TestRunner PASS |
| tedd_an/TestRunner_smp-tester | success | TestRunner PASS |
| tedd_an/TestRunner_userchan-tester | success | TestRunner PASS |
| tedd_an/IncrementalBuild | success | Incremental Build PASS |
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=808810
---Test result---
Test Summary:
CheckPatch FAIL 0.98 seconds
GitLint FAIL 0.60 seconds
SubjectPrefix PASS 0.13 seconds
BuildKernel PASS 28.33 seconds
CheckAllWarning PASS 31.08 seconds
CheckSparse WARNING 36.40 seconds
CheckSmatch WARNING 99.66 seconds
BuildKernel32 PASS 27.47 seconds
TestRunnerSetup PASS 426.62 seconds
TestRunner_l2cap-tester PASS 23.28 seconds
TestRunner_iso-tester PASS 91.06 seconds
TestRunner_bnep-tester PASS 7.16 seconds
TestRunner_mgmt-tester PASS 162.53 seconds
TestRunner_rfcomm-tester PASS 11.12 seconds
TestRunner_sco-tester PASS 12.67 seconds
TestRunner_ioctl-tester PASS 12.28 seconds
TestRunner_mesh-tester PASS 9.07 seconds
TestRunner_smp-tester PASS 9.91 seconds
TestRunner_userchan-tester PASS 7.46 seconds
IncrementalBuild PASS 26.47 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[1/1] Bluetooth: Fix UAF in __sco_sock_close
WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?)
#92:
atomic_dec_and_test ./include/linux/atomic/atomic-instrumented.h:1375 [inline]
total: 0 errors, 1 warnings, 0 checks, 21 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13487356.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[1/1] Bluetooth: Fix UAF in __sco_sock_close
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
10: B1 Line exceeds max length (87>80): "BUG: KASAN: slab-use-after-free in __sco_sock_close+0x2d7/0x6b0 net/bluetooth/sco.c:444"
39: B1 Line exceeds max length (199>80): "Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 d3 eb 02 00 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 21 ec 02 00 8b 44"
102: B1 Line exceeds max length (90>80): "page:ffffea0000711e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c478"
110: B1 Line exceeds max length (199>80): "page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 6803836749, free_ts 0"
##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/sco.c: note: in included file:./include/net/bluetooth/hci_core.h:150:35: warning: array of flexible structures
##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
net/bluetooth/sco.c: note: in included file:./include/net/bluetooth/hci_core.h:150:35: warning: array of flexible structures
---
Regards,
Linux Bluetooth
Hi, ma, 2023-12-11 kello 22:40 +0800, Chaoyuan Peng kirjoitti: > In __sco_sock_close(), the sco_conn_lock doesn't properly guard the access > to 'conn'. This leads to the UAF where __sco_sock_close() access the freed > 'sco_pi(sk)->conn' which is destroyed by hci_abort_conn_sync() on another > thread. > > Such is the case in the following call trace: > > BUG: KASAN: slab-use-after-free in __sco_sock_close+0x2d7/0x6b0 net/bluetooth/sco.c:444 > Write of size 4 at addr ffff88801c47a010 by task syz-executor402/10616 What branch is this crash seen in? sco_disconn_cfm and sco_conn_del should have been called from hci_abort_conn_sync. In particular sco_conn_del should set sco_pi(sk)->conn = NULL. Now, it's possible those are racing here, and maybe it's possible to make the locking is correct if it's not. It's also possible there's still some bug that hci_abort_conn_sync gets called with reason == 0. Most of these should have been fixed by 181a42edddf51d5d9697ec Adding WARN_ON(!reason) in hci_abort_conn_sync should tell if it's still that bug. > > Call Trace: > <TASK> > __dump_stack lib/dump_stack.c:88 [inline] > dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 > print_address_description mm/kasan/report.c:364 [inline] > print_report+0xc1/0x5e0 mm/kasan/report.c:475 > kasan_report+0xbe/0xf0 mm/kasan/report.c:588 > check_region_inline mm/kasan/generic.c:181 [inline] > kasan_check_range+0xf0/0x190 mm/kasan/generic.c:187 > instrument_atomic_read_write ./include/linux/instrumented.h:96 [inline] > atomic_dec_and_test ./include/linux/atomic/atomic-instrumented.h:1375 [inline] > hci_conn_drop ./include/net/bluetooth/hci_core.h:1523 [inline] > __sco_sock_close+0x2d7/0x6b0 net/bluetooth/sco.c:444 > sco_sock_close net/bluetooth/sco.c:469 [inline] > sco_sock_release+0x7b/0x2d0 net/bluetooth/sco.c:1246 > __sock_release+0xae/0x260 net/socket.c:659 > sock_close+0x1c/0x20 net/socket.c:1419 > __fput+0x406/0xa70 fs/file_table.c:384 > __fput_sync+0x45/0x50 fs/file_table.c:465 > __do_sys_close fs/open.c:1572 [inline] > __se_sys_close fs/open.c:1557 [inline] > __x64_sys_close+0x8b/0x110 fs/open.c:1557 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > RIP: 0033:0x7f338be5659b > Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 d3 eb 02 00 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 21 ec 02 00 8b 44 > RSP: 002b:00007ffd1c844f50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 > RAX: ffffffffffffffda RBX: 0000000000000007 RCX: 00007f338be5659b > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006 > RBP: 0000000000000032 R08: 0000000000000000 R09: 000000000487598e > R10: 0000000000000000 R11: 0000000000000293 R12: 00007f338bef32fc > R13: 00007ffd1c844fa0 R14: 00007ffd1c844fc0 R15: 00007f338be0a5f0 > </TASK> > > Allocated by task 10619: > kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 > kasan_set_track+0x25/0x30 mm/kasan/common.c:52 > ____kasan_kmalloc mm/kasan/common.c:374 [inline] > ____kasan_kmalloc mm/kasan/common.c:333 [inline] > __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383 > kmalloc ./include/linux/slab.h:599 [inline] > kzalloc ./include/linux/slab.h:720 [inline] > hci_conn_add+0xc2/0x1850 net/bluetooth/hci_conn.c:957 > hci_connect_sco+0x3bb/0x1050 net/bluetooth/hci_conn.c:1701 > sco_connect net/bluetooth/sco.c:266 [inline] > sco_sock_connect+0x2df/0xa90 net/bluetooth/sco.c:591 > __sys_connect_file+0x15f/0x1a0 net/socket.c:2050 > __sys_connect+0x165/0x1a0 net/socket.c:2067 > __do_sys_connect net/socket.c:2077 [inline] > __se_sys_connect net/socket.c:2074 [inline] > __x64_sys_connect+0x72/0xb0 net/socket.c:2074 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Freed by task 8146: > kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 > kasan_set_track+0x25/0x30 mm/kasan/common.c:52 > kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522 > ____kasan_slab_free mm/kasan/common.c:236 [inline] > ____kasan_slab_free+0x15e/0x1c0 mm/kasan/common.c:200 > kasan_slab_free ./include/linux/kasan.h:164 [inline] > slab_free_hook mm/slub.c:1800 [inline] > slab_free_freelist_hook+0x95/0x1d0 mm/slub.c:1826 > slab_free mm/slub.c:3809 [inline] > __kmem_cache_free+0xb8/0x2e0 mm/slub.c:3822 > device_release+0xa3/0x240 drivers/base/core.c:2484 > kobject_cleanup lib/kobject.c:682 [inline] > kobject_release lib/kobject.c:716 [inline] > kref_put ./include/linux/kref.h:65 [inline] > kobject_put+0x1a2/0x3e0 lib/kobject.c:733 > put_device+0x1f/0x30 drivers/base/core.c:3732 > hci_abort_conn_sync+0x566/0xde0 net/bluetooth/hci_sync.c:5428 > abort_conn_sync+0x188/0x3a0 net/bluetooth/hci_conn.c:2910 > hci_cmd_sync_work+0x1c5/0x430 net/bluetooth/hci_sync.c:306 > process_one_work+0x876/0x15a0 kernel/workqueue.c:2630 > process_scheduled_works kernel/workqueue.c:2703 [inline] > worker_thread+0x855/0x11f0 kernel/workqueue.c:2784 > kthread+0x346/0x450 kernel/kthread.c:388 > ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 > > The buggy address belongs to the object at ffff88801c47a000 > which belongs to the cache kmalloc-4k of size 4096 > The buggy address is located 16 bytes inside of > freed 4096-byte region [ffff88801c47a000, ffff88801c47b000) > > The buggy address belongs to the physical page: > page:ffffea0000711e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c478 > head:ffffea0000711e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 > anon flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) > page_type: 0xffffffff() > raw: 00fff00000000840 ffff888012843040 0000000000000000 dead000000000001 > raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 > page dumped because: kasan: bad access detected > page_owner tracks the page as allocated > page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 6803836749, free_ts 0 > set_page_owner ./include/linux/page_owner.h:31 [inline] > post_alloc_hook+0x2d8/0x350 mm/page_alloc.c:1536 > prep_new_page mm/page_alloc.c:1543 [inline] > get_page_from_freelist+0xf09/0x2c50 mm/page_alloc.c:3170 > __alloc_pages+0x1cb/0x4a0 mm/page_alloc.c:4426 > alloc_page_interleave+0x1e/0x250 mm/mempolicy.c:2130 > alloc_pages+0x233/0x270 mm/mempolicy.c:2292 > alloc_slab_page mm/slub.c:1870 [inline] > allocate_slab+0x261/0x390 mm/slub.c:2017 > new_slab mm/slub.c:2070 [inline] > ___slab_alloc+0xbda/0x15e0 mm/slub.c:3223 > __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322 > __slab_alloc_node mm/slub.c:3375 [inline] > slab_alloc_node mm/slub.c:3468 [inline] > __kmem_cache_alloc_node+0x13a/0x350 mm/slub.c:3517 > kmalloc_node_trace+0x21/0xd0 mm/slab_common.c:1130 > kmalloc_node ./include/linux/slab.h:615 [inline] > kzalloc_node ./include/linux/slab.h:731 [inline] > bdi_alloc+0x47/0x180 mm/backing-dev.c:932 > __alloc_disk_node+0xa2/0x650 block/genhd.c:1337 > __blk_alloc_disk+0x37/0x90 block/genhd.c:1393 > brd_alloc.part.0+0x256/0x770 drivers/block/brd.c:338 > brd_alloc drivers/block/brd.c:458 [inline] > brd_init+0x1b5/0x2a0 drivers/block/brd.c:425 > do_one_initcall+0x105/0x620 init/main.c:1232 > page_owner free stack trace missing > > Memory state around the buggy address: > ffff88801c479f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff88801c479f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > ffff88801c47a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ^ > ffff88801c47a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff88801c47a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ================================================================== > > Signed-off-by: Chaoyuan Peng <hedonistsmith@gmail.com> > --- > net/bluetooth/sco.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > index c736186ab..46e158bdd 100644 > --- a/net/bluetooth/sco.c > +++ b/net/bluetooth/sco.c > @@ -296,6 +296,7 @@ static int sco_connect(struct sock *sk) > sco_sock_set_timer(sk, sk->sk_sndtimeo); > } > > + hci_conn_get(hcon); > release_sock(sk); > > unlock: > @@ -438,12 +439,13 @@ static void __sco_sock_close(struct sock *sk) > case BT_CONNECTED: > case BT_CONFIG: > if (sco_pi(sk)->conn->hcon) { > + struct hci_conn *hcon = sco_pi(sk)->conn->hcon; > sk->sk_state = BT_DISCONN; > sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > sco_conn_lock(sco_pi(sk)->conn); > - hci_conn_drop(sco_pi(sk)->conn->hcon); > sco_pi(sk)->conn->hcon = NULL; > sco_conn_unlock(sco_pi(sk)->conn); > + hci_conn_put(hcon); I think this reference is leaked if sco_conn_del gets called first, which occurs when the hcon is being deleted. > } else > sco_chan_del(sk, ECONNRESET); > break;
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index c736186ab..46e158bdd 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -296,6 +296,7 @@ static int sco_connect(struct sock *sk) sco_sock_set_timer(sk, sk->sk_sndtimeo); } + hci_conn_get(hcon); release_sock(sk); unlock: @@ -438,12 +439,13 @@ static void __sco_sock_close(struct sock *sk) case BT_CONNECTED: case BT_CONFIG: if (sco_pi(sk)->conn->hcon) { + struct hci_conn *hcon = sco_pi(sk)->conn->hcon; sk->sk_state = BT_DISCONN; sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); sco_conn_lock(sco_pi(sk)->conn); - hci_conn_drop(sco_pi(sk)->conn->hcon); sco_pi(sk)->conn->hcon = NULL; sco_conn_unlock(sco_pi(sk)->conn); + hci_conn_put(hcon); } else sco_chan_del(sk, ECONNRESET); break;