From patchwork Thu Aug 19 15:46:39 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 12447511 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1F10DC4338F for ; Thu, 19 Aug 2021 15:46:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EF0B961051 for ; Thu, 19 Aug 2021 15:46:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239990AbhHSPrR (ORCPT ); Thu, 19 Aug 2021 11:47:17 -0400 Received: from smtp-out1.suse.de ([195.135.220.28]:40698 "EHLO smtp-out1.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239151AbhHSPrQ (ORCPT ); Thu, 19 Aug 2021 11:47:16 -0400 Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out1.suse.de (Postfix) with ESMTP id 40BE6220B9; Thu, 19 Aug 2021 15:46:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1629387999; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type; bh=Qy6ZWelWVTiWEo2cgoouc2nThDRWSzCg3aimoMrO26w=; b=dUA/BhpeXNd6VmUOuzfeppvKxXlsHLkXBo4ZC8XP7gbxGYkWFvsmXdPXFNw5AfCzWiNtHC YSZtvk7ZRD8CI0blF35dDbD40ZKpBxf9Jt2gHAN5SNSnfBqZaBwdBnJTHP2IQcIyjSpxs6 eU5/yzwodRH70OzSCsfjNf21cvdNqng= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1629387999; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type; bh=Qy6ZWelWVTiWEo2cgoouc2nThDRWSzCg3aimoMrO26w=; b=0fNbnPjJhHjqVK9dhqWqJazdAL0Aeyo6u3ojbctOvq2BYmrc5mYdoQkj2P0fBYSyk35KsO JJFDbiIeVjQDiqDw== Received: from alsa1.suse.de (alsa1.suse.de [10.160.4.42]) by relay2.suse.de (Postfix) with ESMTP id 3C1F3A3B94; Thu, 19 Aug 2021 15:46:39 +0000 (UTC) Date: Thu, 19 Aug 2021 17:46:39 +0200 Message-ID: From: Takashi Iwai To: linux-bluetooth@vger.kernel.org Cc: linux-kernel@vger.kernel.org Subject: CVE-2021-3640 and the unlimited block of lock_sock() User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?utf-8?b?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi, it seems that the recent fixes in bluetooth tree address most of issues in CVE-2021-3640 ("Use-After-Free vulnerability in function sco_sock_sendmsg()"). But there is still a problem left: although we cover the race with lock_sock() now, the lock may be blocked endlessly (as the task takes over with userfaultd), which result in the trigger of watchdog like: -- 8< -- [ 23.226767][ T7] Bluetooth: hci0: command 0x0419 tx timeout [ 284.985881][ T1529] INFO: task poc:7603 blocked for more than 143 seconds. [ 284.989134][ T1529] Not tainted 5.13.0-rc4+ #48 [ 284.990098][ T1529] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 284.991705][ T1529] task:poc state:D stack:13784 pid: 7603 ppid: 7593 flags:0x00000000 [ 284.993414][ T1529] Call Trace: [ 284.994025][ T1529] __schedule+0x32e/0xb90 [ 284.994842][ T1529] ? __local_bh_enable_ip+0x72/0xe0 [ 284.995987][ T1529] schedule+0x38/0xe0 [ 284.996723][ T1529] __lock_sock+0xa1/0x130 [ 284.997434][ T1529] ? finish_wait+0x80/0x80 [ 284.998150][ T1529] lock_sock_nested+0x9f/0xb0 [ 284.998914][ T1529] sco_conn_del+0xb1/0x1a0 [ 284.999619][ T1529] ? sco_conn_del+0x1a0/0x1a0 [ 285.000361][ T1529] sco_disconn_cfm+0x3a/0x60 [ 285.001116][ T1529] hci_conn_hash_flush+0x95/0x130 [ 285.001921][ T1529] hci_dev_do_close+0x298/0x680 [ 285.002687][ T1529] ? up_write+0x12/0x130 [ 285.003367][ T1529] ? vhci_close_dev+0x20/0x20 [ 285.004107][ T1529] hci_unregister_dev+0x9f/0x240 [ 285.004886][ T1529] vhci_release+0x35/0x70 [ 285.005602][ T1529] __fput+0xdf/0x360 [ 285.006225][ T1529] task_work_run+0x86/0xd0 [ 285.006927][ T1529] exit_to_user_mode_prepare+0x267/0x270 [ 285.007824][ T1529] syscall_exit_to_user_mode+0x19/0x60 [ 285.008694][ T1529] do_syscall_64+0x42/0xa0 [ 285.009393][ T1529] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 285.010321][ T1529] RIP: 0033:0x4065c7 -- 8< -- Is there any plan to address this? As a quick hack, I confirmed a workaround like below: -- 8< -- -- 8< -- .... but I'm not sure whether it's the right way to go. thanks, Takashi --- a/net/core/sock.c +++ b/net/core/sock.c @@ -2628,7 +2628,7 @@ void __lock_sock(struct sock *sk) prepare_to_wait_exclusive(&sk->sk_lock.wq, &wait, TASK_UNINTERRUPTIBLE); spin_unlock_bh(&sk->sk_lock.slock); - schedule(); + schedule_timeout(msecs_to_jiffies(10 * 1000)); spin_lock_bh(&sk->sk_lock.slock); if (!sock_owned_by_user(sk)) break;