Re: KASAN: use-after-free Read in hci_chan_del

From: Greg KH
Date: Sun Jun 06 2021 - 06:00:19 EST

Next message: Andrey Konovalov: "Re: [PATCH v3] kasan: test: Improve failure message in KUNIT_EXPECT_KASAN_FAIL()"
Previous message: Greg Kroah-Hartman: "Re: [PATCH] usb: dwc3: support 64 bit DMA in platform driver"
In reply to: Leon Romanovsky: "Re: KASAN: use-after-free Read in hci_chan_del"
Next in thread: Greg KH: "Re: KASAN: use-after-free Read in hci_chan_del"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Jun 06, 2021 at 04:50:04PM +0800, Hillf Danton wrote:
> On 2020-08-02 20:45
> > syzbot found the following issue on:
> >
> > HEAD commit: ac3a0c84 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=11b8d570900000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=e59ee776d5aa8d55
> > dashboard link: https://syzkaller.appspot.com/bug?extid=305a91e025a73e4fd6ce
> > compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11f7ceea900000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17e5de04900000
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+305a91e025a73e4fd6ce@xxxxxxxxxxxxxxxxxxxxxxxxx
> >
> > IPVS: ftp: loaded support on port[0] = 21
> > ==================================================================
> > BUG: KASAN: use-after-free in hci_chan_del+0x33/0x130 net/bluetooth/hci_conn.c:1707
> > Read of size 8 at addr ffff8880a9591f18 by task syz-executor081/6793
> >
> > CPU: 0 PID: 6793 Comm: syz-executor081 Not tainted 5.8.0-rc7-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0x1f0/0x31e lib/dump_stack.c:118
> > print_address_description+0x66/0x5a0 mm/kasan/report.c:383
> > __kasan_report mm/kasan/report.c:513 [inline]
> > kasan_report+0x132/0x1d0 mm/kasan/report.c:530
> > hci_chan_del+0x33/0x130 net/bluetooth/hci_conn.c:1707
> > l2cap_conn_del+0x4c2/0x650 net/bluetooth/l2cap_core.c:1900
> > hci_disconn_cfm include/net/bluetooth/hci_core.h:1355 [inline]
> > hci_conn_hash_flush+0x127/0x200 net/bluetooth/hci_conn.c:1536
> > hci_dev_do_close+0xb7b/0x1040 net/bluetooth/hci_core.c:1761
> > hci_unregister_dev+0x16d/0x1590 net/bluetooth/hci_core.c:3606
> > vhci_release+0x73/0xc0 drivers/bluetooth/hci_vhci.c:340
> > __fput+0x2f0/0x750 fs/file_table.c:281
> > task_work_run+0x137/0x1c0 kernel/task_work.c:135
> > exit_task_work include/linux/task_work.h:25 [inline]
> > do_exit+0x601/0x1f80 kernel/exit.c:805
> > do_group_exit+0x161/0x2d0 kernel/exit.c:903
> > __do_sys_exit_group+0x13/0x20 kernel/exit.c:914
> > __se_sys_exit_group+0x10/0x10 kernel/exit.c:912
> > __x64_sys_exit_group+0x37/0x40 kernel/exit.c:912
> > do_syscall_64+0x73/0xe0 arch/x86/entry/common.c:384
> > entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> To fix the uaf reported, add reference count to hci channel to track users.
> Then only channels with zero users will be released.
>
> It is now only for thoughts.
>
> +++ x/include/net/bluetooth/hci_core.h
> @@ -704,6 +704,7 @@ struct hci_chan {
> struct sk_buff_head data_q;
> unsigned int sent;
> __u8 state;
> + atomic_t ref;

Please no, never use "raw" atomic variables. Especially for something
like this, use a kref.

thanks,

greg k-h

Next message: Andrey Konovalov: "Re: [PATCH v3] kasan: test: Improve failure message in KUNIT_EXPECT_KASAN_FAIL()"
Previous message: Greg Kroah-Hartman: "Re: [PATCH] usb: dwc3: support 64 bit DMA in platform driver"
In reply to: Leon Romanovsky: "Re: KASAN: use-after-free Read in hci_chan_del"
Next in thread: Greg KH: "Re: KASAN: use-after-free Read in hci_chan_del"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]