Re: [syzbot] [bluetooth?] KASAN: null-ptr-deref Read in ida_free (4)
From: Matthew Wilcox
Date: Fri Jan 19 2024 - 08:48:21 EST
On Fri, Jan 19, 2024 at 12:58:21PM +0100, Dmitry Vyukov wrote:
> On Thu, 18 Jan 2024 at 15:02, Matthew Wilcox <willy@xxxxxxxxxxxxx> wrote:
> >
> > On Thu, Jan 18, 2024 at 11:21:34AM +0100, Dmitry Vyukov wrote:
> > > On Sat, 25 Nov 2023 at 14:18, syzbot
> > > <syzbot+51baee846ddab52d5230@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> > > >
> > > > syzbot has found a reproducer for the following issue on:
> > > >
> > > > HEAD commit: 8c9660f65153 Add linux-next specific files for 20231124
> > > > git tree: linux-next
> > > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=1678a3cce80000
> > > > kernel config: https://syzkaller.appspot.com/x/.config?x=ca1e8655505e280
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=51baee846ddab52d5230
> > > > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10d54c08e80000
> > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=160ef1a4e80000
> > > >
> > > > Downloadable assets:
> > > > disk image: https://storage.googleapis.com/syzbot-assets/345ed4af3a0d/disk-8c9660f6.raw.xz
> > > > vmlinux: https://storage.googleapis.com/syzbot-assets/191053c69d57/vmlinux-8c9660f6.xz
> > > > kernel image: https://storage.googleapis.com/syzbot-assets/aac7ee5e55e0/bzImage-8c9660f6.xz
> > > >
> > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > Reported-by: syzbot+51baee846ddab52d5230@xxxxxxxxxxxxxxxxxxxxxxxxx
> > > >
> > > > Bluetooth: hci0: hardware error 0x00
> > > > ==================================================================
> > > > BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]
> > > > BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
> > > > BUG: KASAN: null-ptr-deref in ida_free+0x218/0x2e0 lib/idr.c:511
> > > > Read of size 8 at addr 0000000000000078 by task kworker/u5:1/4455
> > > >
> > > > CPU: 1 PID: 4455 Comm: kworker/u5:1 Not tainted 6.7.0-rc2-next-20231124-syzkaller #0
> > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
> > > > Workqueue: hci0 hci_error_reset
> > > > Call Trace:
> > > > <TASK>
> > > > __dump_stack lib/dump_stack.c:88 [inline]
> > > > dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
> > > > kasan_report+0xd9/0x110 mm/kasan/report.c:588
> > > > check_region_inline mm/kasan/generic.c:182 [inline]
> > > > kasan_check_range+0xef/0x190 mm/kasan/generic.c:188
> > > > instrument_atomic_read include/linux/instrumented.h:68 [inline]
> > > > _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
> > >
> > > Wonder if this is fixed with:
> > >
> > > ida: Fix crash in ida_free when the bitmap is empty
> > >
> > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=af73483f4e8b6f5c68c9aa63257bdd929a9c194a
> > >
> > > ?
> >
> > Should be. The backtrace below looks like it's the same bug that got
> > reported 3-4 weeks ago.
>
> On second thought, perhaps the bluetooth stack shouldn't free invalid
> ids in the first place.
> It may even take these bogus ids from the wire, which would be pretty bad.
Oh, that was my first response. Unfortunately, the original reporter was
all "I filed a CVE and this is S3CUR1+Y F!X" so none of that interaction
is public.
What my patch will do is convert this NULL pointer dereference into a
warning (which will still be noticed by syzbot). The bluetooth stack
still needs to be fixed to not free invalid IDs.