* [PATCH] Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()
@ 2022-10-17 7:58 Zhengchao Shao
2022-10-17 8:33 ` bluez.test.bot
2022-10-17 20:30 ` [PATCH] " patchwork-bot+bluetooth
0 siblings, 2 replies; 3+ messages in thread
From: Zhengchao Shao @ 2022-10-17 7:58 UTC (permalink / raw)
To: linux-bluetooth, netdev, davem, edumazet, kuba, pabeni
Cc: marcel, johan.hedberg, luiz.dentz, weiyongjun1, yuehaibing,
shaozhengchao
When l2cap_recv_frame() is invoked to receive data, and the cid is
L2CAP_CID_A2MP, if the channel does not exist, it will create a channel.
However, after a channel is created, the hold operation of the channel
is not performed. In this case, the value of channel reference counting
is 1. As a result, after hci_error_reset() is triggered, l2cap_conn_del()
invokes the close hook function of A2MP to release the channel. Then
l2cap_chan_unlock(chan) will trigger UAF issue.
The process is as follows:
Receive data:
l2cap_data_channel()
a2mp_channel_create() --->channel ref is 2
l2cap_chan_put() --->channel ref is 1
Triger event:
hci_error_reset()
hci_dev_do_close()
...
l2cap_disconn_cfm()
l2cap_conn_del()
l2cap_chan_hold() --->channel ref is 2
l2cap_chan_del() --->channel ref is 1
a2mp_chan_close_cb() --->channel ref is 0, release channel
l2cap_chan_unlock() --->UAF of channel
The detailed Call Trace is as follows:
BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0xa6/0x5e0
Read of size 8 at addr ffff8880160664b8 by task kworker/u11:1/7593
Workqueue: hci0 hci_error_reset
Call Trace:
<TASK>
dump_stack_lvl+0xcd/0x134
print_report.cold+0x2ba/0x719
kasan_report+0xb1/0x1e0
kasan_check_range+0x140/0x190
__mutex_unlock_slowpath+0xa6/0x5e0
l2cap_conn_del+0x404/0x7b0
l2cap_disconn_cfm+0x8c/0xc0
hci_conn_hash_flush+0x11f/0x260
hci_dev_close_sync+0x5f5/0x11f0
hci_dev_do_close+0x2d/0x70
hci_error_reset+0x9e/0x140
process_one_work+0x98a/0x1620
worker_thread+0x665/0x1080
kthread+0x2e4/0x3a0
ret_from_fork+0x1f/0x30
</TASK>
Allocated by task 7593:
kasan_save_stack+0x1e/0x40
__kasan_kmalloc+0xa9/0xd0
l2cap_chan_create+0x40/0x930
amp_mgr_create+0x96/0x990
a2mp_channel_create+0x7d/0x150
l2cap_recv_frame+0x51b8/0x9a70
l2cap_recv_acldata+0xaa3/0xc00
hci_rx_work+0x702/0x1220
process_one_work+0x98a/0x1620
worker_thread+0x665/0x1080
kthread+0x2e4/0x3a0
ret_from_fork+0x1f/0x30
Freed by task 7593:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
kasan_set_free_info+0x20/0x30
____kasan_slab_free+0x167/0x1c0
slab_free_freelist_hook+0x89/0x1c0
kfree+0xe2/0x580
l2cap_chan_put+0x22a/0x2d0
l2cap_conn_del+0x3fc/0x7b0
l2cap_disconn_cfm+0x8c/0xc0
hci_conn_hash_flush+0x11f/0x260
hci_dev_close_sync+0x5f5/0x11f0
hci_dev_do_close+0x2d/0x70
hci_error_reset+0x9e/0x140
process_one_work+0x98a/0x1620
worker_thread+0x665/0x1080
kthread+0x2e4/0x3a0
ret_from_fork+0x1f/0x30
Last potentially related work creation:
kasan_save_stack+0x1e/0x40
__kasan_record_aux_stack+0xbe/0xd0
call_rcu+0x99/0x740
netlink_release+0xe6a/0x1cf0
__sock_release+0xcd/0x280
sock_close+0x18/0x20
__fput+0x27c/0xa90
task_work_run+0xdd/0x1a0
exit_to_user_mode_prepare+0x23c/0x250
syscall_exit_to_user_mode+0x19/0x50
do_syscall_64+0x42/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation:
kasan_save_stack+0x1e/0x40
__kasan_record_aux_stack+0xbe/0xd0
call_rcu+0x99/0x740
netlink_release+0xe6a/0x1cf0
__sock_release+0xcd/0x280
sock_close+0x18/0x20
__fput+0x27c/0xa90
task_work_run+0xdd/0x1a0
exit_to_user_mode_prepare+0x23c/0x250
syscall_exit_to_user_mode+0x19/0x50
do_syscall_64+0x42/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Fixes: d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put")
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
---
net/bluetooth/l2cap_core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 2283871d3f01..9a32ce634919 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -7615,6 +7615,7 @@ static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid,
return;
}
+ l2cap_chan_hold(chan);
l2cap_chan_lock(chan);
} else {
BT_DBG("unknown cid 0x%4.4x", cid);
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()
2022-10-17 7:58 [PATCH] Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() Zhengchao Shao
@ 2022-10-17 8:33 ` bluez.test.bot
2022-10-17 20:30 ` [PATCH] " patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2022-10-17 8:33 UTC (permalink / raw)
To: linux-bluetooth, shaozhengchao
[-- Attachment #1: Type: text/plain, Size: 1261 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=685728
---Test result---
Test Summary:
CheckPatch PASS 1.64 seconds
GitLint PASS 0.95 seconds
SubjectPrefix PASS 0.86 seconds
BuildKernel PASS 35.42 seconds
BuildKernel32 PASS 31.82 seconds
Incremental Build with patchesPASS 45.28 seconds
TestRunner: Setup PASS 523.07 seconds
TestRunner: l2cap-tester PASS 17.89 seconds
TestRunner: iso-tester PASS 17.02 seconds
TestRunner: bnep-tester PASS 6.84 seconds
TestRunner: mgmt-tester PASS 109.11 seconds
TestRunner: rfcomm-tester PASS 10.67 seconds
TestRunner: sco-tester PASS 10.09 seconds
TestRunner: ioctl-tester PASS 11.35 seconds
TestRunner: mesh-tester PASS 8.29 seconds
TestRunner: smp-tester PASS 10.07 seconds
TestRunner: userchan-tester PASS 7.04 seconds
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()
2022-10-17 7:58 [PATCH] Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() Zhengchao Shao
2022-10-17 8:33 ` bluez.test.bot
@ 2022-10-17 20:30 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2022-10-17 20:30 UTC (permalink / raw)
To: Zhengchao Shao
Cc: linux-bluetooth, netdev, davem, edumazet, kuba, pabeni, marcel,
johan.hedberg, luiz.dentz, weiyongjun1, yuehaibing
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Mon, 17 Oct 2022 15:58:13 +0800 you wrote:
> When l2cap_recv_frame() is invoked to receive data, and the cid is
> L2CAP_CID_A2MP, if the channel does not exist, it will create a channel.
> However, after a channel is created, the hold operation of the channel
> is not performed. In this case, the value of channel reference counting
> is 1. As a result, after hci_error_reset() is triggered, l2cap_conn_del()
> invokes the close hook function of A2MP to release the channel. Then
> l2cap_chan_unlock(chan) will trigger UAF issue.
>
> [...]
Here is the summary with links:
- Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()
https://git.kernel.org/bluetooth/bluetooth-next/c/42cf46dea905
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-10-17 20:36 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-10-17 7:58 [PATCH] Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() Zhengchao Shao
2022-10-17 8:33 ` bluez.test.bot
2022-10-17 20:30 ` [PATCH] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).