Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()
The sco_send_frame() also takes lock_sock() during memcpy_from_msg()
call that may be endlessly blocked by a task with userfaultd
technique, and this will result in a hung task watchdog trigger.
Just like the similar fix for hci_sock_sendmsg() in commit
92c685dc5de0 ("Bluetooth: reorganize functions..."), this patch moves
the memcpy_from_msg() out of lock_sock() for addressing the hang.
This should be the last piece for fixing CVE-2021-3640 after a few
already queued fixes.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This commit is contained in:
Takashi Iwai
Marcel Holtmann
parent
927ac8da35
commit
99c23da0ee
|
|
@ -280,7 +280,8 @@ static int sco_connect(struct hci_dev *hdev, struct sock *sk)
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len)
|
static int sco_send_frame(struct sock *sk, void *buf, int len,
|
||||||
|
unsigned int msg_flags)
|
||||||
{
|
{
|
||||||
struct sco_conn *conn = sco_pi(sk)->conn;
|
struct sco_conn *conn = sco_pi(sk)->conn;
|
||||||
struct sk_buff *skb;
|
struct sk_buff *skb;
|
||||||
|
|
@ -292,15 +293,11 @@ static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len)
|
||||||
|
|
||||||
BT_DBG("sk %p len %d", sk, len);
|
BT_DBG("sk %p len %d", sk, len);
|
||||||
|
|
||||||
skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
|
skb = bt_skb_send_alloc(sk, len, msg_flags & MSG_DONTWAIT, &err);
|
||||||
if (!skb)
|
if (!skb)
|
||||||
return err;
|
return err;
|
||||||
|
|
||||||
if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
|
memcpy(skb_put(skb, len), buf, len);
|
||||||
kfree_skb(skb);
|
|
||||||
return -EFAULT;
|
|
||||||
}
|
|
||||||
|
|
||||||
hci_send_sco(conn->hcon, skb);
|
hci_send_sco(conn->hcon, skb);
|
||||||
|
|
||||||
return len;
|
return len;
|
||||||
|
|
@ -725,6 +722,7 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg,
|
||||||
size_t len)
|
size_t len)
|
||||||
{
|
{
|
||||||
struct sock *sk = sock->sk;
|
struct sock *sk = sock->sk;
|
||||||
|
void *buf;
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
BT_DBG("sock %p, sk %p", sock, sk);
|
BT_DBG("sock %p, sk %p", sock, sk);
|
||||||
|
|
@ -736,14 +734,24 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg,
|
||||||
if (msg->msg_flags & MSG_OOB)
|
if (msg->msg_flags & MSG_OOB)
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
|
|
||||||
|
buf = kmalloc(len, GFP_KERNEL);
|
||||||
|
if (!buf)
|
||||||
|
return -ENOMEM;
|
||||||
|
|
||||||
|
if (memcpy_from_msg(buf, msg, len)) {
|
||||||
|
kfree(buf);
|
||||||
|
return -EFAULT;
|
||||||
|
}
|
||||||
|
|
||||||
lock_sock(sk);
|
lock_sock(sk);
|
||||||
|
|
||||||
if (sk->sk_state == BT_CONNECTED)
|
if (sk->sk_state == BT_CONNECTED)
|
||||||
err = sco_send_frame(sk, msg, len);
|
err = sco_send_frame(sk, buf, len, msg->msg_flags);
|
||||||
else
|
else
|
||||||
err = -ENOTCONN;
|
err = -ENOTCONN;
|
||||||
|
|
||||||
release_sock(sk);
|
release_sock(sk);
|
||||||
|
kfree(buf);
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue