From: Niels Dossche <dossche.niels@gmail.com>
To: linux-bluetooth@vger.kernel.org
Cc: Marcel Holtmann <marcel@holtmann.org>,
Johan Hedberg <johan.hedberg@gmail.com>,
Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
Niels Dossche <dossche.niels@gmail.com>
Subject: [PATCH v2] Bluetooth: protect remote oob data in build_pairing_cmd's callsites
Date: Tue, 13 Sep 2022 19:39:08 +0200 [thread overview]
Message-ID: <20220913173907.13792-1-dossche.niels@gmail.com> (raw)
Accesses to hci_dev->remote_oob_data are protected by the hdev lock,
except for the access in build_pairing_cmd via hci_find_remote_oob_data.
Adding the lock around the access in build_pairing_cmd would cause a
lock ordering problem: the l2cap_chan_lock is taken in the caller
smp_conn_security, while the hdev lock should be taken before the chan
lock.
The solution is to add the hdev lock to the callsites of
build_pairing_cmd.
Fixes: 02b05bd8b0a6 ("Bluetooth: Set SMP OOB flag if OOB data is available")
Signed-off-by: Niels Dossche <dossche.niels@gmail.com>
---
Note:
I am currently working on a static analyser to detect missing locks
using type-based static analysis, which reported the missing lock on
v6.0-rc5. I manually verified the report by looking at the code,
so that I do not send wrong information or patches.
After concluding that this seems to be a true positive, I created
this patch. I have only managed to compile-test this patch on x86_64.
After applying the patch, my analyser no longer reports the potential
bug.
net/bluetooth/smp.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 11f853d0500f..6611a789b6c1 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -1803,7 +1803,9 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
return 0;
}
+ hci_dev_lock(hdev);
build_pairing_cmd(conn, req, &rsp, auth);
+ hci_dev_unlock(hdev);
if (rsp.auth_req & SMP_AUTH_SC) {
set_bit(SMP_FLAG_SC, &smp->flags);
@@ -2335,7 +2337,9 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
skb_pull(skb, sizeof(*rp));
memset(&cp, 0, sizeof(cp));
+ hci_dev_lock(hdev);
build_pairing_cmd(conn, &cp, NULL, auth);
+ hci_dev_unlock(hdev);
smp->preq[0] = SMP_CMD_PAIRING_REQ;
memcpy(&smp->preq[1], &cp, sizeof(cp));
@@ -2380,6 +2384,7 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
return 1;
}
+ hci_dev_lock(hcon->hdev);
l2cap_chan_lock(chan);
/* If SMP is already in progress ignore this request */
@@ -2435,6 +2440,7 @@ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
unlock:
l2cap_chan_unlock(chan);
+ hci_dev_unlock(hcon->hdev);
return ret;
}
--
2.37.3
next reply other threads:[~2022-09-13 18:23 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-13 17:39 Niels Dossche [this message]
2022-09-14 9:47 ` [PATCH v2] Bluetooth: protect remote oob data in build_pairing_cmd's callsites Niels Dossche
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220913173907.13792-1-dossche.niels@gmail.com \
--to=dossche.niels@gmail.com \
--cc=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox