Skip to main content

Browse the archive

https://github.com/torvalds/linux
17 May 2024, 09:02:56 UTC
Revision 3aff8aaca4e36dc8b17eaa011684881a80238966 authored by Maxim Mikityanskiy on 04 October 2022, 21:27:18 UTC, committed by Luiz Augusto von Dentz on 02 November 2022, 21:12:34 UTC 
Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu
 
Fix the race condition between the following two flows that run in
parallel:

1. l2cap_reassemble_sdu -> chan->ops->recv (l2cap_sock_recv_cb) ->
   __sock_queue_rcv_skb.

2. bt_sock_recvmsg -> skb_recv_datagram, skb_free_datagram.

An SKB can be queued by the first flow and immediately dequeued and
freed by the second flow, therefore the callers of l2cap_reassemble_sdu
can't use the SKB after that function returns. However, some places
continue accessing struct l2cap_ctrl that resides in the SKB's CB for a
short time after l2cap_reassemble_sdu returns, leading to a
use-after-free condition (the stack trace is below, line numbers for
kernel 5.19.8).

Fix it by keeping a local copy of struct l2cap_ctrl.

BUG: KASAN: use-after-free in l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth
Read of size 1 at addr ffff88812025f2f0 by task kworker/u17:3/43169

Workqueue: hci0 hci_rx_work [bluetooth]
Call Trace:
 <TASK>
 dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))
 print_report.cold (mm/kasan/report.c:314 mm/kasan/report.c:429)
 ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth
 kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493)
 ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth
 l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth
 l2cap_rx (net/bluetooth/l2cap_core.c:7236 net/bluetooth/l2cap_core.c:7271) bluetooth
 ret_from_fork (arch/x86/entry/entry_64.S:306)
 </TASK>

Allocated by task 43169:
 kasan_save_stack (mm/kasan/common.c:39)
 __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469)
 kmem_cache_alloc_node (mm/slab.h:750 mm/slub.c:3243 mm/slub.c:3293)
 __alloc_skb (net/core/skbuff.c:414)
 l2cap_recv_frag (./include/net/bluetooth/bluetooth.h:425 net/bluetooth/l2cap_core.c:8329) bluetooth
 l2cap_recv_acldata (net/bluetooth/l2cap_core.c:8442) bluetooth
 hci_rx_work (net/bluetooth/hci_core.c:3642 net/bluetooth/hci_core.c:3832) bluetooth
 process_one_work (kernel/workqueue.c:2289)
 worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2437)
 kthread (kernel/kthread.c:376)
 ret_from_fork (arch/x86/entry/entry_64.S:306)

Freed by task 27920:
 kasan_save_stack (mm/kasan/common.c:39)
 kasan_set_track (mm/kasan/common.c:45)
 kasan_set_free_info (mm/kasan/generic.c:372)
 ____kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328)
 slab_free_freelist_hook (mm/slub.c:1780)
 kmem_cache_free (mm/slub.c:3536 mm/slub.c:3553)
 skb_free_datagram (./include/net/sock.h:1578 ./include/net/sock.h:1639 net/core/datagram.c:323)
 bt_sock_recvmsg (net/bluetooth/af_bluetooth.c:295) bluetooth
 l2cap_sock_recvmsg (net/bluetooth/l2cap_sock.c:1212) bluetooth
 sock_read_iter (net/socket.c:1087)
 new_sync_read (./include/linux/fs.h:2052 fs/read_write.c:401)
 vfs_read (fs/read_write.c:482)
 ksys_read (fs/read_write.c:620)
 do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)

Link: https://lore.kernel.org/linux-bluetooth/CAKErNvoqga1WcmoR3-0875esY6TVWFQDandbVZncSiuGPBQXLA@mail.gmail.com/T/#u
Fixes: d2a7ac5d5d3a ("Bluetooth: Add the ERTM receive state machine")
Fixes: 4b51dae96731 ("Bluetooth: Add streaming mode receive and incoming packet classifier")
Signed-off-by: Maxim Mikityanskiy <maxtram95@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
1 parent ba9169f
History
Tip revision: 3aff8aaca4e36dc8b17eaa011684881a80238966 authored by Maxim Mikityanskiy on 04 October 2022, 21:27:18 UTC
Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu
Tip revision: 3aff8aa
File Mode Size
damon
kasan
kfence
kmsan
Kconfig -rw-r--r-- 35.4 KB
Kconfig.debug -rw-r--r-- 7.7 KB
Makefile -rw-r--r-- 5.0 KB
backing-dev.c -rw-r--r-- 24.7 KB
balloon_compaction.c -rw-r--r-- 8.2 KB
bootmem_info.c -rw-r--r-- 3.4 KB
cma.c -rw-r--r-- 15.5 KB
cma.h -rw-r--r-- 1.4 KB
cma_debug.c -rw-r--r-- 4.5 KB
cma_sysfs.c -rw-r--r-- 2.4 KB
compaction.c -rw-r--r-- 84.0 KB
debug.c -rw-r--r-- 6.6 KB
debug_page_ref.c -rw-r--r-- 1.4 KB
debug_vm_pgtable.c -rw-r--r-- 38.8 KB
dmapool.c -rw-r--r-- 13.6 KB
early_ioremap.c -rw-r--r-- 6.7 KB
fadvise.c -rw-r--r-- 5.5 KB
failslab.c -rw-r--r-- 1.4 KB
filemap.c -rw-r--r-- 111.2 KB
folio-compat.c -rw-r--r-- 3.5 KB
frontswap.c -rw-r--r-- 7.9 KB
gup.c -rw-r--r-- 92.8 KB
gup_test.c -rw-r--r-- 5.6 KB
gup_test.h -rw-r--r-- 938 bytes
highmem.c -rw-r--r-- 20.1 KB
hmm.c -rw-r--r-- 16.7 KB
huge_memory.c -rw-r--r-- 87.8 KB
hugetlb.c -rw-r--r-- 207.3 KB
hugetlb_cgroup.c -rw-r--r-- 24.6 KB
hugetlb_vmemmap.c -rw-r--r-- 15.9 KB
hugetlb_vmemmap.h -rw-r--r-- 1.6 KB
hwpoison-inject.c -rw-r--r-- 2.8 KB
init-mm.c -rw-r--r-- 1.7 KB
internal.h -rw-r--r-- 26.8 KB
interval_tree.c -rw-r--r-- 3.1 KB
io-mapping.c -rw-r--r-- 993 bytes
ioremap.c -rw-r--r-- 1.4 KB
khugepaged.c -rw-r--r-- 68.6 KB
kmemleak.c -rw-r--r-- 59.8 KB
ksm.c -rw-r--r-- 90.0 KB
list_lru.c -rw-r--r-- 13.8 KB
maccess.c -rw-r--r-- 5.8 KB
madvise.c -rw-r--r-- 37.9 KB
mapping_dirty_helpers.c -rw-r--r-- 10.5 KB
memblock.c -rw-r--r-- 61.0 KB
memcontrol.c -rw-r--r-- 199.4 KB
memfd.c -rw-r--r-- 8.2 KB
memory-failure.c -rw-r--r-- 68.1 KB
memory-tiers.c -rw-r--r-- 18.4 KB
memory.c -rw-r--r-- 160.2 KB
memory_hotplug.c -rw-r--r-- 64.0 KB
mempolicy.c -rw-r--r-- 78.1 KB
mempool.c -rw-r--r-- 15.8 KB
memremap.c -rw-r--r-- 15.0 KB
memtest.c -rw-r--r-- 2.8 KB
migrate.c -rw-r--r-- 57.4 KB
migrate_device.c -rw-r--r-- 27.3 KB
mincore.c -rw-r--r-- 7.1 KB
mlock.c -rw-r--r-- 19.1 KB
mm_init.c -rw-r--r-- 5.3 KB
mm_slot.h -rw-r--r-- 1.4 KB
mmap.c -rw-r--r-- 100.3 KB
mmap_lock.c -rw-r--r-- 6.2 KB
mmu_gather.c -rw-r--r-- 9.2 KB
mmu_notifier.c -rw-r--r-- 35.3 KB
mmzone.c -rw-r--r-- 2.5 KB
mprotect.c -rw-r--r-- 22.6 KB
mremap.c -rw-r--r-- 28.9 KB
msync.c -rw-r--r-- 2.9 KB
nommu.c -rw-r--r-- 45.1 KB
oom_kill.c -rw-r--r-- 33.5 KB
page-writeback.c -rw-r--r-- 93.1 KB
page_alloc.c -rw-r--r-- 270.2 KB
page_counter.c -rw-r--r-- 6.8 KB
page_ext.c -rw-r--r-- 13.5 KB
page_idle.c -rw-r--r-- 5.2 KB
page_io.c -rw-r--r-- 12.8 KB
page_isolation.c -rw-r--r-- 20.7 KB
page_owner.c -rw-r--r-- 18.0 KB
page_poison.c -rw-r--r-- 2.5 KB
page_reporting.c -rw-r--r-- 10.3 KB
page_reporting.h -rw-r--r-- 1.6 KB
page_table_check.c -rw-r--r-- 5.9 KB
page_vma_mapped.c -rw-r--r-- 8.6 KB
pagewalk.c -rw-r--r-- 15.9 KB
percpu-internal.h -rw-r--r-- 7.0 KB
percpu-km.c -rw-r--r-- 3.2 KB
percpu-stats.c -rw-r--r-- 5.8 KB
percpu-vm.c -rw-r--r-- 11.7 KB
percpu.c -rw-r--r-- 102.5 KB
pgalloc-track.h -rw-r--r-- 1.3 KB
pgtable-generic.c -rw-r--r-- 5.8 KB
process_vm_access.c -rw-r--r-- 8.2 KB
ptdump.c -rw-r--r-- 4.2 KB
readahead.c -rw-r--r-- 25.7 KB
rmap.c -rw-r--r-- 73.5 KB
rodata_test.c -rw-r--r-- 1.2 KB
secretmem.c -rw-r--r-- 6.4 KB
shmem.c -rw-r--r-- 111.3 KB
shrinker_debug.c -rw-r--r-- 6.2 KB
shuffle.c -rw-r--r-- 4.6 KB
shuffle.h -rw-r--r-- 1.2 KB
slab.c -rw-r--r-- 102.0 KB
slab.h -rw-r--r-- 22.8 KB
slab_common.c -rw-r--r-- 37.6 KB
slob.c -rw-r--r-- 18.8 KB
slub.c -rw-r--r-- 155.9 KB
sparse-vmemmap.c -rw-r--r-- 10.2 KB
sparse.c -rw-r--r-- 25.6 KB
swap.c -rw-r--r-- 31.3 KB
swap.h -rw-r--r-- 3.9 KB
swap_cgroup.c -rw-r--r-- 5.2 KB
swap_slots.c -rw-r--r-- 9.2 KB
swap_state.c -rw-r--r-- 24.0 KB
swapfile.c -rw-r--r-- 92.4 KB
truncate.c -rw-r--r-- 26.2 KB
usercopy.c -rw-r--r-- 8.1 KB
userfaultfd.c -rw-r--r-- 18.9 KB
util.c -rw-r--r-- 30.2 KB
vmalloc.c -rw-r--r-- 108.1 KB
vmpressure.c -rw-r--r-- 13.9 KB
vmscan.c -rw-r--r-- 211.3 KB
vmstat.c -rw-r--r-- 54.6 KB
workingset.c -rw-r--r-- 24.5 KB
z3fold.c -rw-r--r-- 44.6 KB
zbud.c -rw-r--r-- 18.4 KB
zpool.c -rw-r--r-- 11.2 KB
zsmalloc.c -rw-r--r-- 57.3 KB
zswap.c -rw-r--r-- 39.9 KB
back to top