* [PATCH v2] Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync
@ 2023-08-11 17:46 Luiz Augusto von Dentz
2023-08-11 18:20 ` [v2] " bluez.test.bot
2023-08-11 23:04 ` [PATCH v2] " Pauli Virtanen
0 siblings, 2 replies; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2023-08-11 17:46 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Use-after-free can occur in hci_disconnect_all_sync if a connection is
deleted by concurrent processing of a controller event.
To prevent this the code now tries to iterate over the list backwards
to ensure the links are cleanup before its parents, also it no longer
relies on a cursor, instead it always uses the last element since
hci_abort_conn_sync is guaranteed to call hci_conn_del.
UAF crash log:
==================================================================
BUG: KASAN: slab-use-after-free in hci_set_powered_sync
(net/bluetooth/hci_sync.c:5424) [bluetooth]
Read of size 8 at addr ffff888009d9c000 by task kworker/u9:0/124
CPU: 0 PID: 124 Comm: kworker/u9:0 Tainted: G W
6.5.0-rc1+ #10
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.16.2-1.fc38 04/01/2014
Workqueue: hci0 hci_cmd_sync_work [bluetooth]
Call Trace:
<TASK>
dump_stack_lvl+0x5b/0x90
print_report+0xcf/0x670
? __virt_addr_valid+0xdd/0x160
? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]
kasan_report+0xa6/0xe0
? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]
? __pfx_set_powered_sync+0x10/0x10 [bluetooth]
hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]
? __pfx_hci_set_powered_sync+0x10/0x10 [bluetooth]
? __pfx_lock_release+0x10/0x10
? __pfx_set_powered_sync+0x10/0x10 [bluetooth]
hci_cmd_sync_work+0x137/0x220 [bluetooth]
process_one_work+0x526/0x9d0
? __pfx_process_one_work+0x10/0x10
? __pfx_do_raw_spin_lock+0x10/0x10
? mark_held_locks+0x1a/0x90
worker_thread+0x92/0x630
? __pfx_worker_thread+0x10/0x10
kthread+0x196/0x1e0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2c/0x50
</TASK>
Allocated by task 1782:
kasan_save_stack+0x33/0x60
kasan_set_track+0x25/0x30
__kasan_kmalloc+0x8f/0xa0
hci_conn_add+0xa5/0xa80 [bluetooth]
hci_bind_cis+0x881/0x9b0 [bluetooth]
iso_connect_cis+0x121/0x520 [bluetooth]
iso_sock_connect+0x3f6/0x790 [bluetooth]
__sys_connect+0x109/0x130
__x64_sys_connect+0x40/0x50
do_syscall_64+0x60/0x90
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Freed by task 695:
kasan_save_stack+0x33/0x60
kasan_set_track+0x25/0x30
kasan_save_free_info+0x2b/0x50
__kasan_slab_free+0x10a/0x180
__kmem_cache_free+0x14d/0x2e0
device_release+0x5d/0xf0
kobject_put+0xdf/0x270
hci_disconn_complete_evt+0x274/0x3a0 [bluetooth]
hci_event_packet+0x579/0x7e0 [bluetooth]
hci_rx_work+0x287/0xaa0 [bluetooth]
process_one_work+0x526/0x9d0
worker_thread+0x92/0x630
kthread+0x196/0x1e0
ret_from_fork+0x2c/0x50
==================================================================
Fixes: 182ee45da083 ("Bluetooth: hci_sync: Rework hci_suspend_notifier")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/hci_sync.c | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 5eb30ba21370..c2fa6690c84c 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -5389,7 +5389,11 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
hci_dev_unlock(hdev);
return 0;
default:
+ hci_dev_lock(hdev);
conn->state = BT_CLOSED;
+ hci_disconn_cfm(conn, reason);
+ hci_conn_del(conn);
+ hci_dev_unlock(hdev);
return 0;
}
@@ -5418,13 +5422,19 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
static int hci_disconnect_all_sync(struct hci_dev *hdev, u8 reason)
{
- struct hci_conn *conn, *tmp;
- int err;
+ struct list_head *head = &hdev->conn_hash.list;
- list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) {
- err = hci_abort_conn_sync(hdev, conn, reason);
- if (err)
- return err;
+ /* Use reverse order so links are cleanup before parents */
+ while (!list_empty(&hdev->conn_hash.list)) {
+ struct hci_conn *conn = list_last_entry(head, struct hci_conn,
+ list);
+
+ /* Disregard possible errors since hci_conn_del shall have been
+ * called even in case of errors had occurred since it would
+ * then cause hci_conn_failed to be called which calls
+ * hci_conn_del internally.
+ */
+ hci_abort_conn_sync(hdev, conn, reason);
}
return 0;
--
2.41.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* RE: [v2] Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync
2023-08-11 17:46 [PATCH v2] Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync Luiz Augusto von Dentz
@ 2023-08-11 18:20 ` bluez.test.bot
2023-08-11 23:04 ` [PATCH v2] " Pauli Virtanen
1 sibling, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2023-08-11 18:20 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 1427 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=775448
---Test result---
Test Summary:
CheckPatch PASS 0.77 seconds
GitLint PASS 0.33 seconds
SubjectPrefix PASS 0.10 seconds
BuildKernel PASS 44.80 seconds
CheckAllWarning PASS 48.41 seconds
CheckSparse PASS 54.47 seconds
CheckSmatch PASS 145.66 seconds
BuildKernel32 PASS 42.36 seconds
TestRunnerSetup PASS 639.62 seconds
TestRunner_l2cap-tester PASS 31.76 seconds
TestRunner_iso-tester PASS 72.96 seconds
TestRunner_bnep-tester PASS 14.73 seconds
TestRunner_mgmt-tester PASS 274.49 seconds
TestRunner_rfcomm-tester PASS 21.91 seconds
TestRunner_sco-tester PASS 24.41 seconds
TestRunner_ioctl-tester PASS 24.53 seconds
TestRunner_mesh-tester PASS 17.87 seconds
TestRunner_smp-tester PASS 19.13 seconds
TestRunner_userchan-tester PASS 15.05 seconds
IncrementalBuild PASS 39.65 seconds
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync
2023-08-11 17:46 [PATCH v2] Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync Luiz Augusto von Dentz
2023-08-11 18:20 ` [v2] " bluez.test.bot
@ 2023-08-11 23:04 ` Pauli Virtanen
2023-08-11 23:17 ` Luiz Augusto von Dentz
1 sibling, 1 reply; 4+ messages in thread
From: Pauli Virtanen @ 2023-08-11 23:04 UTC (permalink / raw)
To: Luiz Augusto von Dentz, linux-bluetooth
Hi Luiz,
pe, 2023-08-11 kello 10:46 -0700, Luiz Augusto von Dentz kirjoitti:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> Use-after-free can occur in hci_disconnect_all_sync if a connection is
> deleted by concurrent processing of a controller event.
>
> To prevent this the code now tries to iterate over the list backwards
> to ensure the links are cleanup before its parents, also it no longer
> relies on a cursor, instead it always uses the last element since
> hci_abort_conn_sync is guaranteed to call hci_conn_del.
This v2 patch seems to be same as v1. Is it the right one?
>
> UAF crash log:
> ==================================================================
> BUG: KASAN: slab-use-after-free in hci_set_powered_sync
> (net/bluetooth/hci_sync.c:5424) [bluetooth]
> Read of size 8 at addr ffff888009d9c000 by task kworker/u9:0/124
>
> CPU: 0 PID: 124 Comm: kworker/u9:0 Tainted: G W
> 6.5.0-rc1+ #10
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
> 1.16.2-1.fc38 04/01/2014
> Workqueue: hci0 hci_cmd_sync_work [bluetooth]
> Call Trace:
> <TASK>
> dump_stack_lvl+0x5b/0x90
> print_report+0xcf/0x670
> ? __virt_addr_valid+0xdd/0x160
> ? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]
> kasan_report+0xa6/0xe0
> ? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]
> ? __pfx_set_powered_sync+0x10/0x10 [bluetooth]
> hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]
> ? __pfx_hci_set_powered_sync+0x10/0x10 [bluetooth]
> ? __pfx_lock_release+0x10/0x10
> ? __pfx_set_powered_sync+0x10/0x10 [bluetooth]
> hci_cmd_sync_work+0x137/0x220 [bluetooth]
> process_one_work+0x526/0x9d0
> ? __pfx_process_one_work+0x10/0x10
> ? __pfx_do_raw_spin_lock+0x10/0x10
> ? mark_held_locks+0x1a/0x90
> worker_thread+0x92/0x630
> ? __pfx_worker_thread+0x10/0x10
> kthread+0x196/0x1e0
> ? __pfx_kthread+0x10/0x10
> ret_from_fork+0x2c/0x50
> </TASK>
>
> Allocated by task 1782:
> kasan_save_stack+0x33/0x60
> kasan_set_track+0x25/0x30
> __kasan_kmalloc+0x8f/0xa0
> hci_conn_add+0xa5/0xa80 [bluetooth]
> hci_bind_cis+0x881/0x9b0 [bluetooth]
> iso_connect_cis+0x121/0x520 [bluetooth]
> iso_sock_connect+0x3f6/0x790 [bluetooth]
> __sys_connect+0x109/0x130
> __x64_sys_connect+0x40/0x50
> do_syscall_64+0x60/0x90
> entry_SYSCALL_64_after_hwframe+0x6e/0xd8
>
> Freed by task 695:
> kasan_save_stack+0x33/0x60
> kasan_set_track+0x25/0x30
> kasan_save_free_info+0x2b/0x50
> __kasan_slab_free+0x10a/0x180
> __kmem_cache_free+0x14d/0x2e0
> device_release+0x5d/0xf0
> kobject_put+0xdf/0x270
> hci_disconn_complete_evt+0x274/0x3a0 [bluetooth]
> hci_event_packet+0x579/0x7e0 [bluetooth]
> hci_rx_work+0x287/0xaa0 [bluetooth]
> process_one_work+0x526/0x9d0
> worker_thread+0x92/0x630
> kthread+0x196/0x1e0
> ret_from_fork+0x2c/0x50
> ==================================================================
>
> Fixes: 182ee45da083 ("Bluetooth: hci_sync: Rework hci_suspend_notifier")
> Signed-off-by: Pauli Virtanen <pav@iki.fi>
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> ---
> net/bluetooth/hci_sync.c | 22 ++++++++++++++++------
> 1 file changed, 16 insertions(+), 6 deletions(-)
>
> diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> index 5eb30ba21370..c2fa6690c84c 100644
> --- a/net/bluetooth/hci_sync.c
> +++ b/net/bluetooth/hci_sync.c
> @@ -5389,7 +5389,11 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
> hci_dev_unlock(hdev);
> return 0;
> default:
> + hci_dev_lock(hdev);
> conn->state = BT_CLOSED;
> + hci_disconn_cfm(conn, reason);
> + hci_conn_del(conn);
> + hci_dev_unlock(hdev);
> return 0;
> }
>
> @@ -5418,13 +5422,19 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
>
> static int hci_disconnect_all_sync(struct hci_dev *hdev, u8 reason)
> {
> - struct hci_conn *conn, *tmp;
> - int err;
> + struct list_head *head = &hdev->conn_hash.list;
>
> - list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) {
> - err = hci_abort_conn_sync(hdev, conn, reason);
> - if (err)
> - return err;
> + /* Use reverse order so links are cleanup before parents */
> + while (!list_empty(&hdev->conn_hash.list)) {
> + struct hci_conn *conn = list_last_entry(head, struct hci_conn,
> + list);
> +
> + /* Disregard possible errors since hci_conn_del shall have been
> + * called even in case of errors had occurred since it would
> + * then cause hci_conn_failed to be called which calls
> + * hci_conn_del internally.
> + */
> + hci_abort_conn_sync(hdev, conn, reason);
> }
>
> return 0;
--
Pauli Virtanen
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync
2023-08-11 23:04 ` [PATCH v2] " Pauli Virtanen
@ 2023-08-11 23:17 ` Luiz Augusto von Dentz
0 siblings, 0 replies; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2023-08-11 23:17 UTC (permalink / raw)
To: Pauli Virtanen; +Cc: linux-bluetooth
Hi Pauli,
On Fri, Aug 11, 2023 at 4:05 PM Pauli Virtanen <pav@iki.fi> wrote:
>
> Hi Luiz,
>
> pe, 2023-08-11 kello 10:46 -0700, Luiz Augusto von Dentz kirjoitti:
> > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> >
> > Use-after-free can occur in hci_disconnect_all_sync if a connection is
> > deleted by concurrent processing of a controller event.
> >
> > To prevent this the code now tries to iterate over the list backwards
> > to ensure the links are cleanup before its parents, also it no longer
> > relies on a cursor, instead it always uses the last element since
> > hci_abort_conn_sync is guaranteed to call hci_conn_del.
>
> This v2 patch seems to be same as v1. Is it the right one?
>
> >
> > UAF crash log:
> > ==================================================================
> > BUG: KASAN: slab-use-after-free in hci_set_powered_sync
> > (net/bluetooth/hci_sync.c:5424) [bluetooth]
> > Read of size 8 at addr ffff888009d9c000 by task kworker/u9:0/124
> >
> > CPU: 0 PID: 124 Comm: kworker/u9:0 Tainted: G W
> > 6.5.0-rc1+ #10
> > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
> > 1.16.2-1.fc38 04/01/2014
> > Workqueue: hci0 hci_cmd_sync_work [bluetooth]
> > Call Trace:
> > <TASK>
> > dump_stack_lvl+0x5b/0x90
> > print_report+0xcf/0x670
> > ? __virt_addr_valid+0xdd/0x160
> > ? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]
> > kasan_report+0xa6/0xe0
> > ? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]
> > ? __pfx_set_powered_sync+0x10/0x10 [bluetooth]
> > hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]
> > ? __pfx_hci_set_powered_sync+0x10/0x10 [bluetooth]
> > ? __pfx_lock_release+0x10/0x10
> > ? __pfx_set_powered_sync+0x10/0x10 [bluetooth]
> > hci_cmd_sync_work+0x137/0x220 [bluetooth]
> > process_one_work+0x526/0x9d0
> > ? __pfx_process_one_work+0x10/0x10
> > ? __pfx_do_raw_spin_lock+0x10/0x10
> > ? mark_held_locks+0x1a/0x90
> > worker_thread+0x92/0x630
> > ? __pfx_worker_thread+0x10/0x10
> > kthread+0x196/0x1e0
> > ? __pfx_kthread+0x10/0x10
> > ret_from_fork+0x2c/0x50
> > </TASK>
> >
> > Allocated by task 1782:
> > kasan_save_stack+0x33/0x60
> > kasan_set_track+0x25/0x30
> > __kasan_kmalloc+0x8f/0xa0
> > hci_conn_add+0xa5/0xa80 [bluetooth]
> > hci_bind_cis+0x881/0x9b0 [bluetooth]
> > iso_connect_cis+0x121/0x520 [bluetooth]
> > iso_sock_connect+0x3f6/0x790 [bluetooth]
> > __sys_connect+0x109/0x130
> > __x64_sys_connect+0x40/0x50
> > do_syscall_64+0x60/0x90
> > entry_SYSCALL_64_after_hwframe+0x6e/0xd8
> >
> > Freed by task 695:
> > kasan_save_stack+0x33/0x60
> > kasan_set_track+0x25/0x30
> > kasan_save_free_info+0x2b/0x50
> > __kasan_slab_free+0x10a/0x180
> > __kmem_cache_free+0x14d/0x2e0
> > device_release+0x5d/0xf0
> > kobject_put+0xdf/0x270
> > hci_disconn_complete_evt+0x274/0x3a0 [bluetooth]
> > hci_event_packet+0x579/0x7e0 [bluetooth]
> > hci_rx_work+0x287/0xaa0 [bluetooth]
> > process_one_work+0x526/0x9d0
> > worker_thread+0x92/0x630
> > kthread+0x196/0x1e0
> > ret_from_fork+0x2c/0x50
> > ==================================================================
> >
> > Fixes: 182ee45da083 ("Bluetooth: hci_sync: Rework hci_suspend_notifier")
> > Signed-off-by: Pauli Virtanen <pav@iki.fi>
> > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > ---
> > net/bluetooth/hci_sync.c | 22 ++++++++++++++++------
> > 1 file changed, 16 insertions(+), 6 deletions(-)
> >
> > diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> > index 5eb30ba21370..c2fa6690c84c 100644
> > --- a/net/bluetooth/hci_sync.c
> > +++ b/net/bluetooth/hci_sync.c
> > @@ -5389,7 +5389,11 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
> > hci_dev_unlock(hdev);
> > return 0;
> > default:
> > + hci_dev_lock(hdev);
> > conn->state = BT_CLOSED;
> > + hci_disconn_cfm(conn, reason);
> > + hci_conn_del(conn);
> > + hci_dev_unlock(hdev);
> > return 0;
> > }
> >
> > @@ -5418,13 +5422,19 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
> >
> > static int hci_disconnect_all_sync(struct hci_dev *hdev, u8 reason)
> > {
> > - struct hci_conn *conn, *tmp;
> > - int err;
> > + struct list_head *head = &hdev->conn_hash.list;
> >
> > - list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) {
> > - err = hci_abort_conn_sync(hdev, conn, reason);
> > - if (err)
> > - return err;
> > + /* Use reverse order so links are cleanup before parents */
> > + while (!list_empty(&hdev->conn_hash.list)) {
> > + struct hci_conn *conn = list_last_entry(head, struct hci_conn,
> > + list);
> > +
> > + /* Disregard possible errors since hci_conn_del shall have been
> > + * called even in case of errors had occurred since it would
> > + * then cause hci_conn_failed to be called which calls
> > + * hci_conn_del internally.
> > + */
> > + hci_abort_conn_sync(hdev, conn, reason);
> > }
> >
> > return 0;
>
> --
> Pauli Virtanen
Must have sent the wrong one, let's see if I got it right on v3.
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-08-11 23:17 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-08-11 17:46 [PATCH v2] Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync Luiz Augusto von Dentz
2023-08-11 18:20 ` [v2] " bluez.test.bot
2023-08-11 23:04 ` [PATCH v2] " Pauli Virtanen
2023-08-11 23:17 ` Luiz Augusto von Dentz
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.