[PATCH] Bluetooth: L2CAP: Fix potential user-after-free

[PATCH] Bluetooth: L2CAP: Fix potential user-after-free

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

This fixes all instances of which requires to allocate a buffer calling
alloc_skb which may release the chan lock and reacquire later which
makes it possible that the chan is disconnected in the meantime.

Fixes: a6a5568c03c4 ("Bluetooth: Lock the L2CAP channel when sending")
Reported-by: Alexander Coffin <alex.coffin@matician.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
 net/bluetooth/l2cap_core.c | 24 ------------------------
 net/bluetooth/l2cap_sock.c |  8 ++++++++
 2 files changed, 8 insertions(+), 24 deletions(-)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index a3e0dc6a6e73..adfc3ea06d08 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -2683,14 +2683,6 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
 		if (IS_ERR(skb))
 			return PTR_ERR(skb);
 
-		/* Channel lock is released before requesting new skb and then
-		 * reacquired thus we need to recheck channel state.
-		 */
-		if (chan->state != BT_CONNECTED) {
-			kfree_skb(skb);
-			return -ENOTCONN;
-		}
-
 		l2cap_do_send(chan, skb);
 		return len;
 	}
@@ -2735,14 +2727,6 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
 		if (IS_ERR(skb))
 			return PTR_ERR(skb);
 
-		/* Channel lock is released before requesting new skb and then
-		 * reacquired thus we need to recheck channel state.
-		 */
-		if (chan->state != BT_CONNECTED) {
-			kfree_skb(skb);
-			return -ENOTCONN;
-		}
-
 		l2cap_do_send(chan, skb);
 		err = len;
 		break;
@@ -2763,14 +2747,6 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
 		 */
 		err = l2cap_segment_sdu(chan, &seg_queue, msg, len);
 
-		/* The channel could have been closed while segmenting,
-		 * check that it is still connected.
-		 */
-		if (chan->state != BT_CONNECTED) {
-			__skb_queue_purge(&seg_queue);
-			err = -ENOTCONN;
-		}
-
 		if (err)
 			break;
 
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index ca8f07f3542b..eebe256104bc 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1624,6 +1624,14 @@ static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan,
 	if (!skb)
 		return ERR_PTR(err);
 
+	/* Channel lock is released before requesting new skb and then
+	 * reacquired thus we need to recheck channel state.
+	 */
+	if (chan->state != BT_CONNECTED) {
+		kfree_skb(skb);
+		return ERR_PTR(-ENOTCONN);
+	}
+
 	skb->priority = sk->sk_priority;
 
 	bt_cb(skb)->l2cap.chan = chan;
-- 
2.37.3

RE: Bluetooth: L2CAP: Fix potential user-after-free

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1422 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=717902

---Test result---

Test Summary:
CheckPatch                    PASS      1.17 seconds
GitLint                       PASS      0.36 seconds
SubjectPrefix                 PASS      0.13 seconds
BuildKernel                   PASS      37.93 seconds
CheckAllWarning               PASS      41.71 seconds
CheckSparse                   PASS      46.75 seconds
CheckSmatch                   PASS      126.54 seconds
BuildKernel32                 PASS      36.61 seconds
TestRunnerSetup               PASS      525.34 seconds
TestRunner_l2cap-tester       PASS      18.69 seconds
TestRunner_iso-tester         PASS      20.41 seconds
TestRunner_bnep-tester        PASS      6.76 seconds
TestRunner_mgmt-tester        PASS      129.22 seconds
TestRunner_rfcomm-tester      PASS      10.65 seconds
TestRunner_sco-tester         PASS      9.84 seconds
TestRunner_ioctl-tester       PASS      11.64 seconds
TestRunner_mesh-tester        PASS      8.60 seconds
TestRunner_smp-tester         PASS      9.80 seconds
TestRunner_userchan-tester    PASS      7.09 seconds
IncrementalBuild              PASS      34.40 seconds



---
Regards,
Linux Bluetooth

Re: Bluetooth: L2CAP: Fix potential user-after-free

[Luiz Augusto von Dentz]

Hi Alex,

On Wed, Feb 1, 2023 at 2:36 PM <bluez.test.bot@gmail.com> wrote:
>
> This is automated email and please do not reply to this email!
>
> Dear submitter,
>
> Thank you for submitting the patches to the linux bluetooth mailing list.
> This is a CI test results with your patch series:
> PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=717902
>
> ---Test result---
>
> Test Summary:
> CheckPatch                    PASS      1.17 seconds
> GitLint                       PASS      0.36 seconds
> SubjectPrefix                 PASS      0.13 seconds
> BuildKernel                   PASS      37.93 seconds
> CheckAllWarning               PASS      41.71 seconds
> CheckSparse                   PASS      46.75 seconds
> CheckSmatch                   PASS      126.54 seconds
> BuildKernel32                 PASS      36.61 seconds
> TestRunnerSetup               PASS      525.34 seconds
> TestRunner_l2cap-tester       PASS      18.69 seconds
> TestRunner_iso-tester         PASS      20.41 seconds
> TestRunner_bnep-tester        PASS      6.76 seconds
> TestRunner_mgmt-tester        PASS      129.22 seconds
> TestRunner_rfcomm-tester      PASS      10.65 seconds
> TestRunner_sco-tester         PASS      9.84 seconds
> TestRunner_ioctl-tester       PASS      11.64 seconds
> TestRunner_mesh-tester        PASS      8.60 seconds
> TestRunner_smp-tester         PASS      9.80 seconds
> TestRunner_userchan-tester    PASS      7.09 seconds
> IncrementalBuild              PASS      34.40 seconds

Looks like it is good with our tests in CI, that said I do wonder if
you guys could enable it to run tests that may trigger these problems,
since they normally are not found by normal tests.

>
>
> ---
> Regards,
> Linux Bluetooth
>


-- 
Luiz Augusto von Dentz

Re: Bluetooth: L2CAP: Fix potential user-after-free

[Alexander Coffin]

Hi Luiz,

Sorry about the very slow response, but I just wanted to make sure
that it worked well on our robots for a while (the crashes were
sporadic before) before I confirmed that this patch seemed good. We
have seen no issues with your proposed patch, and I would be happy to
sign off on it if that matters (I don't do much kernel contribution so
I don't really know if my sign off means anything).

Regards,
Alexander Coffin


On Wed, Feb 1, 2023 at 3:47 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> Hi Alex,
>
> On Wed, Feb 1, 2023 at 2:36 PM <bluez.test.bot@gmail.com> wrote:
> >
> > This is automated email and please do not reply to this email!
> >
> > Dear submitter,
> >
> > Thank you for submitting the patches to the linux bluetooth mailing list.
> > This is a CI test results with your patch series:
> > PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=717902
> >
> > ---Test result---
> >
> > Test Summary:
> > CheckPatch                    PASS      1.17 seconds
> > GitLint                       PASS      0.36 seconds
> > SubjectPrefix                 PASS      0.13 seconds
> > BuildKernel                   PASS      37.93 seconds
> > CheckAllWarning               PASS      41.71 seconds
> > CheckSparse                   PASS      46.75 seconds
> > CheckSmatch                   PASS      126.54 seconds
> > BuildKernel32                 PASS      36.61 seconds
> > TestRunnerSetup               PASS      525.34 seconds
> > TestRunner_l2cap-tester       PASS      18.69 seconds
> > TestRunner_iso-tester         PASS      20.41 seconds
> > TestRunner_bnep-tester        PASS      6.76 seconds
> > TestRunner_mgmt-tester        PASS      129.22 seconds
> > TestRunner_rfcomm-tester      PASS      10.65 seconds
> > TestRunner_sco-tester         PASS      9.84 seconds
> > TestRunner_ioctl-tester       PASS      11.64 seconds
> > TestRunner_mesh-tester        PASS      8.60 seconds
> > TestRunner_smp-tester         PASS      9.80 seconds
> > TestRunner_userchan-tester    PASS      7.09 seconds
> > IncrementalBuild              PASS      34.40 seconds
>
> Looks like it is good with our tests in CI, that said I do wonder if
> you guys could enable it to run tests that may trigger these problems,
> since they normally are not found by normal tests.
>
> >
> >
> > ---
> > Regards,
> > Linux Bluetooth
> >
>
>
> --
> Luiz Augusto von Dentz

Re: Bluetooth: L2CAP: Fix potential user-after-free

[Luiz Augusto von Dentz]

Hi Alex,

On Tue, Feb 14, 2023 at 4:45 PM Alexander Coffin
<alex.coffin@matician.com> wrote:
>
> Hi Luiz,
>
> Sorry about the very slow response, but I just wanted to make sure
> that it worked well on our robots for a while (the crashes were
> sporadic before) before I confirmed that this patch seemed good. We
> have seen no issues with your proposed patch, and I would be happy to
> sign off on it if that matters (I don't do much kernel contribution so
> I don't really know if my sign off means anything).

It has been applied already, but thanks to confirming it is good to go.

> Regards,
> Alexander Coffin
>
>
> On Wed, Feb 1, 2023 at 3:47 PM Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
> >
> > Hi Alex,
> >
> > On Wed, Feb 1, 2023 at 2:36 PM <bluez.test.bot@gmail.com> wrote:
> > >
> > > This is automated email and please do not reply to this email!
> > >
> > > Dear submitter,
> > >
> > > Thank you for submitting the patches to the linux bluetooth mailing list.
> > > This is a CI test results with your patch series:
> > > PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=717902
> > >
> > > ---Test result---
> > >
> > > Test Summary:
> > > CheckPatch                    PASS      1.17 seconds
> > > GitLint                       PASS      0.36 seconds
> > > SubjectPrefix                 PASS      0.13 seconds
> > > BuildKernel                   PASS      37.93 seconds
> > > CheckAllWarning               PASS      41.71 seconds
> > > CheckSparse                   PASS      46.75 seconds
> > > CheckSmatch                   PASS      126.54 seconds
> > > BuildKernel32                 PASS      36.61 seconds
> > > TestRunnerSetup               PASS      525.34 seconds
> > > TestRunner_l2cap-tester       PASS      18.69 seconds
> > > TestRunner_iso-tester         PASS      20.41 seconds
> > > TestRunner_bnep-tester        PASS      6.76 seconds
> > > TestRunner_mgmt-tester        PASS      129.22 seconds
> > > TestRunner_rfcomm-tester      PASS      10.65 seconds
> > > TestRunner_sco-tester         PASS      9.84 seconds
> > > TestRunner_ioctl-tester       PASS      11.64 seconds
> > > TestRunner_mesh-tester        PASS      8.60 seconds
> > > TestRunner_smp-tester         PASS      9.80 seconds
> > > TestRunner_userchan-tester    PASS      7.09 seconds
> > > IncrementalBuild              PASS      34.40 seconds
> >
> > Looks like it is good with our tests in CI, that said I do wonder if
> > you guys could enable it to run tests that may trigger these problems,
> > since they normally are not found by normal tests.
> >
> > >
> > >
> > > ---
> > > Regards,
> > > Linux Bluetooth
> > >
> >
> >
> > --
> > Luiz Augusto von Dentz



-- 
Luiz Augusto von Dentz

Re: [PATCH] Bluetooth: L2CAP: Fix potential user-after-free

[patchwork-bot+bluetooth]

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Wed,  1 Feb 2023 14:07:03 -0800 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> This fixes all instances of which requires to allocate a buffer calling
> alloc_skb which may release the chan lock and reacquire later which
> makes it possible that the chan is disconnected in the meantime.
> 
> Fixes: a6a5568c03c4 ("Bluetooth: Lock the L2CAP channel when sending")
> Reported-by: Alexander Coffin <alex.coffin@matician.com>
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> [...]

Here is the summary with links:
  - Bluetooth: L2CAP: Fix potential user-after-free
    https://git.kernel.org/bluetooth/bluetooth-next/c/c076b7d4e311

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html