Re: use-after-free in Bluetooth: 6lowpan (was Re: KASAN: use-after-free Write in refcount_warn_saturate)

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Kees Cook <keescook@chromium.org>
To: Jukka Rissanen <jukka.rissanen@linux.intel.com>,
	Johan Hedberg <johan.hedberg@intel.com>
Cc: davem@davemloft.net, kuba@kernel.org,
	linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
	marcel@holtmann.org, netdev@vger.kernel.org,
	syzkaller-bugs@googlegroups.com,
	syzbot <syzbot+7dd7f2f77a7a01d1dc14@syzkaller.appspotmail.com>,
	Michael Scott <mike@foundries.io>,
	Josua Mayer <josua.mayer@jm0.eu>
Subject: Re: use-after-free in Bluetooth: 6lowpan (was Re: KASAN: use-after-free Write in refcount_warn_saturate)
Date: Sun, 5 Jul 2020 20:32:48 -0700	[thread overview]
Message-ID: <202007052022.984BAD97@keescook> (raw)
In-Reply-To: <00000000000055e1a9059f9e169f@google.com>

On Thu, Feb 27, 2020 at 11:50:11PM -0800, syzbot wrote:
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    f8788d86 Linux 5.6-rc3
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13005fd9e00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=9833e26bab355358
> dashboard link: https://syzkaller.appspot.com/bug?extid=7dd7f2f77a7a01d1dc14
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> userspace arch: i386
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17e3ebede00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16a9f8f9e00000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+7dd7f2f77a7a01d1dc14@syzkaller.appspotmail.com
> 
> ==================================================================
> BUG: KASAN: use-after-free in atomic_set include/asm-generic/atomic-instrumented.h:44 [inline]
> BUG: KASAN: use-after-free in refcount_set include/linux/refcount.h:123 [inline]
> BUG: KASAN: use-after-free in refcount_warn_saturate+0x1f/0x1f0 lib/refcount.c:15
> Write of size 4 at addr ffff888090eb4018 by task kworker/1:24/2888
> 
> CPU: 1 PID: 2888 Comm: kworker/1:24 Not tainted 5.6.0-rc3-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Workqueue: events do_enable_set
> Call Trace:
>  __dump_stack lib/dump_stack.c:77 [inline]
>  dump_stack+0x197/0x210 lib/dump_stack.c:118
>  print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
>  __kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506
>  kasan_report+0x12/0x20 mm/kasan/common.c:641
>  check_memory_region_inline mm/kasan/generic.c:185 [inline]
>  check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192
>  __kasan_check_write+0x14/0x20 mm/kasan/common.c:101
>  atomic_set include/asm-generic/atomic-instrumented.h:44 [inline]
>  refcount_set include/linux/refcount.h:123 [inline]
>  refcount_warn_saturate+0x1f/0x1f0 lib/refcount.c:15
>  refcount_sub_and_test include/linux/refcount.h:261 [inline]
>  refcount_dec_and_test include/linux/refcount.h:281 [inline]
>  kref_put include/linux/kref.h:64 [inline]
>  l2cap_chan_put+0x1d9/0x240 net/bluetooth/l2cap_core.c:498
>  do_enable_set+0x54b/0x960 net/bluetooth/6lowpan.c:1075
>  process_one_work+0xa05/0x17a0 kernel/workqueue.c:2264
>  worker_thread+0x98/0xe40 kernel/workqueue.c:2410
>  kthread+0x361/0x430 kernel/kthread.c:255
>  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> 
> Allocated by task 2888:
>  save_stack+0x23/0x90 mm/kasan/common.c:72
>  set_track mm/kasan/common.c:80 [inline]
>  __kasan_kmalloc mm/kasan/common.c:515 [inline]
>  __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:488
>  kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
>  kmem_cache_alloc_trace+0x158/0x790 mm/slab.c:3551
>  kmalloc include/linux/slab.h:555 [inline]
>  kzalloc include/linux/slab.h:669 [inline]
>  l2cap_chan_create+0x45/0x3a0 net/bluetooth/l2cap_core.c:446
>  chan_create+0x10/0xe0 net/bluetooth/6lowpan.c:640
>  bt_6lowpan_listen net/bluetooth/6lowpan.c:959 [inline]
>  do_enable_set+0x583/0x960 net/bluetooth/6lowpan.c:1078
>  process_one_work+0xa05/0x17a0 kernel/workqueue.c:2264
>  worker_thread+0x98/0xe40 kernel/workqueue.c:2410
>  kthread+0x361/0x430 kernel/kthread.c:255
>  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> 
> Freed by task 2975:
>  save_stack+0x23/0x90 mm/kasan/common.c:72
>  set_track mm/kasan/common.c:80 [inline]
>  kasan_set_free_info mm/kasan/common.c:337 [inline]
>  __kasan_slab_free+0x102/0x150 mm/kasan/common.c:476
>  kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
>  __cache_free mm/slab.c:3426 [inline]
>  kfree+0x10a/0x2c0 mm/slab.c:3757
>  l2cap_chan_destroy net/bluetooth/l2cap_core.c:484 [inline]
>  kref_put include/linux/kref.h:65 [inline]
>  l2cap_chan_put+0x1b7/0x240 net/bluetooth/l2cap_core.c:498
>  do_enable_set+0x54b/0x960 net/bluetooth/6lowpan.c:1075
>  process_one_work+0xa05/0x17a0 kernel/workqueue.c:2264
>  worker_thread+0x98/0xe40 kernel/workqueue.c:2410
>  kthread+0x361/0x430 kernel/kthread.c:255
>  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The free and use-after-free are both via the same do_enable_set() path
which implies there are racing writes to the debugfs write handler. It
seems locking is missing for both listen_chan and enable_6lowpan. The
latter seems misused in is_bt_6lowpan(), which should likely just be
checking for chan->ops == &bt_6lowpan_chan_ops, I think?

I have no way to actually test changes to this code...

-- 
Kees Cook

next prev parent reply	other threads:[~2020-07-06  3:32 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-28  7:50 KASAN: use-after-free Write in refcount_warn_saturate syzbot
2020-07-06  3:32 ` Kees Cook [this message]
2020-07-08 17:36   ` use-after-free in Bluetooth: 6lowpan (was Re: KASAN: use-after-free Write in refcount_warn_saturate) Ing. Josua Mayer
2020-09-04 14:44 ` KASAN: use-after-free Write in refcount_warn_saturate syzbot
2020-11-11 13:25   ` Dmitry Vyukov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202007052022.984BAD97@keescook \
    --to=keescook@chromium.org \
    --cc=davem@davemloft.net \
    --cc=johan.hedberg@intel.com \
    --cc=josua.mayer@jm0.eu \
    --cc=jukka.rissanen@linux.intel.com \
    --cc=kuba@kernel.org \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marcel@holtmann.org \
    --cc=mike@foundries.io \
    --cc=netdev@vger.kernel.org \
    --cc=syzbot+7dd7f2f77a7a01d1dc14@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).