iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Lihong Kou c35fd5684d Bluetooth: add a mutex lock to avoid UAF in do_enale_set 
[ Upstream commit f9c70bdc279b191da8d60777c627702c06e4a37d ]

In the case we set or free the global value listen_chan in
different threads, we can encounter the UAF problems because
the method is not protected by any lock, add one to avoid
this bug.

BUG: KASAN: use-after-free in l2cap_chan_close+0x48/0x990
net/bluetooth/l2cap_core.c:730
Read of size 8 at addr ffff888096950000 by task kworker/1:102/2868

CPU: 1 PID: 2868 Comm: kworker/1:102 Not tainted 5.5.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 01/01/2011
Workqueue: events do_enable_set
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fb/0x318 lib/dump_stack.c:118
 print_address_description+0x74/0x5c0 mm/kasan/report.c:374
 __kasan_report+0x149/0x1c0 mm/kasan/report.c:506
 kasan_report+0x26/0x50 mm/kasan/common.c:641
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
 l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730
 do_enable_set+0x660/0x900 net/bluetooth/6lowpan.c:1074
 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 2870:
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
 kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3551
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 l2cap_chan_create+0x50/0x320 net/bluetooth/l2cap_core.c:446
 chan_create net/bluetooth/6lowpan.c:640 [inline]
 bt_6lowpan_listen net/bluetooth/6lowpan.c:959 [inline]
 do_enable_set+0x6a4/0x900 net/bluetooth/6lowpan.c:1078
 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 2870:
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x10d/0x220 mm/slab.c:3757
 l2cap_chan_destroy net/bluetooth/l2cap_core.c:484 [inline]
 kref_put include/linux/kref.h:65 [inline]
 l2cap_chan_put+0x170/0x190 net/bluetooth/l2cap_core.c:498
 do_enable_set+0x66c/0x900 net/bluetooth/6lowpan.c:1075
 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff888096950000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 0 bytes inside of
 2048-byte region [ffff888096950000, ffff888096950800)
The buggy address belongs to the page:
page:ffffea00025a5400 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00027d1548 ffffea0002397808 ffff8880aa400e00
raw: 0000000000000000 ffff888096950000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809694ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88809694ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888096950000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888096950080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888096950100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Reported-by: syzbot+96414aa0033c363d8458@syzkaller.appspotmail.com
Signed-off-by: Lihong Kou <koulihong@huawei.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-08-21 11:01:57 +02:00
..
6lowpan
6lowpan: Off by one handling ->nexthdr
2020-01-29 10:24:22 +01:00
9p
net/9p: validate fds in p9_fd_open
2020-08-21 11:01:54 +02:00
802
8021q
vlan: fix memory leak in vlan_dev_set_egress_priority
2020-01-12 11:24:27 +01:00
appletalk
appletalk: Set error code if register_snap_client failed
2019-12-21 10:41:45 +01:00
atm
net: atm: Fix potential Spectre v1 vulnerabilities
2019-04-27 09:34:40 +02:00
ax25
AX.25: Prevent integer overflows in connect and sendmsg
2020-07-31 16:44:06 +02:00
batman-adv
batman-adv: Fix refcnt leak in batadv_v_ogm_process
2020-05-20 08:15:29 +02:00
bluetooth
Bluetooth: add a mutex lock to avoid UAF in do_enale_set
2020-08-21 11:01:57 +02:00
bridge
netfilter: nft_reject_bridge: enable reject with bridge vlan
2020-06-03 08:16:45 +02:00
caif
caif: reduce stack size with KASAN
2019-05-08 07:19:07 +02:00
can
can: purge socket error queue on sock destruct
2019-07-10 09:55:33 +02:00
ceph
libceph: ignore pool overlay and cache logic on redirects
2020-06-03 08:16:41 +02:00
core
net-sysfs: add a newline when printing 'tx_timeout' by sysfs
2020-07-31 16:44:06 +02:00
dcb
net: dcb: For wild-card lookups, use priority -1, not 0
2018-09-19 22:47:15 +02:00
dccp
net: ipv6: add net argument to ip6_dst_lookup_flow
2020-05-20 08:15:30 +02:00
decnet
decnet: fix DN_IFREQ_SIZE
2019-12-05 15:35:12 +01:00
dns_resolver
KEYS: DNS: fix parsing multiple options
2018-07-22 14:27:39 +02:00
dsa
net: dsa: tag_brcm: Fix skb->fwd_offload_mark location
2020-04-13 10:32:53 +02:00
ethernet
net: add annotations on hh->hh_len lockless accesses
2020-01-12 11:24:19 +01:00
hsr
hsr: check protocol version in hsr_newlink()
2020-04-24 07:59:02 +02:00
ieee802154
nl802154: add missing attribute validation for dev_type
2020-03-20 09:07:39 +01:00
ipv4
ipv4: Silence suspicious RCU usage warning
2020-08-21 11:01:55 +02:00
ipv6
ipv6: fix memory leaks on IPV6_ADDRFORM path
2020-08-21 11:01:55 +02:00
ipx
ipx: call ipxitf_put() in ioctl error path
2017-05-25 15:44:41 +02:00
irda
irda: Only insert new objects into the global database via setsockopt
2018-09-15 09:43:01 +02:00
iucv
net/af_iucv: always register net_device notifier
2020-01-29 10:24:26 +01:00
kcm
kcm: switch order of device registration to fix a crash
2019-04-17 08:36:44 +02:00
key
xfrm: clean up xfrm protocol checks
2019-09-16 08:19:32 +02:00
l2tp
l2tp: remove skb_dst_set() from l2tp_xmit_skb()
2020-07-22 09:10:47 +02:00
l3mdev
lapb
lapb: fixed leak of control-blocks.
2019-06-22 08:17:22 +02:00
llc
llc: make sure applications use ARPHRD_ETHER
2020-07-22 09:10:47 +02:00
mac80211
mac80211: mesh: Free pending skb when destroying a mpath
2020-08-21 11:01:51 +02:00
mac802154
net: mac802154: tx: expand tailroom if necessary
2018-09-09 20:01:19 +02:00
mpls
net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup
2020-05-20 08:15:30 +02:00
ncsi
net/ncsi: Improve HNCDSC AEN handler
2016-10-20 11:23:08 -04:00
netfilter
netfilter: nf_conntrack_h323: lost .data_len definition for Q.931/ipv6
2020-07-09 09:35:57 +02:00
netlabel
netlabel: cope with NULL catmap
2020-05-20 08:15:39 +02:00
netlink
genetlink: remove genl_bind
2020-07-22 09:10:48 +02:00
netrom
net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node
2020-05-02 17:23:08 +02:00
nfc
nfc: add missing attribute validation for vendor subcommand
2020-03-20 09:07:40 +01:00
openvswitch
openvswitch: support asymmetric conntrack
2019-12-21 10:42:23 +01:00
packet
packet: fix data-race in fanout_flow_is_huge()
2020-01-29 10:24:35 +01:00
phonet
phonet: fix building with clang
2019-03-23 13:19:44 +01:00
qrtr
net: qrtr: Fix passing invalid reference to qrtr_local_enqueue()
2020-06-03 08:16:29 +02:00
rds
rds: Prevent kernel-infoleak in rds_notify_queue_get()
2020-08-21 11:01:49 +02:00
rfkill
rfkill: Fix incorrect check to avoid NULL pointer dereference
2020-01-12 11:24:23 +01:00
rose
net: rose: fix a possible stack overflow
2019-04-03 06:24:14 +02:00
rxrpc
rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA
2020-07-31 16:44:06 +02:00
sched
net: sched: export __netdev_watchdog_up()
2020-06-30 15:38:37 -04:00
sctp
sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket
2020-06-30 15:38:39 -04:00
strparser
strparser: Fix incorrect strp->need_bytes value.
2018-04-29 11:32:02 +02:00
sunrpc
SUNRPC: Properly set the @subbuf parameter of xdr_buf_subsegment()
2020-06-30 15:38:45 -04:00
switchdev
switchdev: Execute bridge ndos only for bridge ports
2016-10-19 10:58:04 -04:00
tipc
net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup
2020-05-20 08:15:30 +02:00
unix
net: fix warning in af_unix
2019-11-28 18:28:28 +01:00
vmw_vsock
vsock: fix timeout in vsock_accept()
2020-06-11 09:22:21 +02:00
wimax
wireless
cfg80211: check vendor command doit pointer before use
2020-08-21 11:01:54 +02:00
x25
net/x25: Fix null-ptr-deref in x25_disconnect
2020-08-21 11:01:50 +02:00
xfrm
xfrm: fix a NULL-ptr deref in xfrm_local_error
2020-06-03 08:16:44 +02:00
compat.c
sock: Make sock->sk_stamp thread-safe
2019-01-09 16:16:41 +01:00
Kconfig
Makefile
socket.c
l2tp: device MTU setup, tunnel socket needs a lock
2020-05-27 16:42:00 +02:00
sysctl_net.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
2016-10-06 09:52:23 -07:00