hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux-sg2042/net
History
Lihong Kou f9c70bdc27 Bluetooth: add a mutex lock to avoid UAF in do_enale_set 
In the case we set or free the global value listen_chan in
different threads, we can encounter the UAF problems because
the method is not protected by any lock, add one to avoid
this bug.

BUG: KASAN: use-after-free in l2cap_chan_close+0x48/0x990
net/bluetooth/l2cap_core.c:730
Read of size 8 at addr ffff888096950000 by task kworker/1:102/2868

CPU: 1 PID: 2868 Comm: kworker/1:102 Not tainted 5.5.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 01/01/2011
Workqueue: events do_enable_set
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fb/0x318 lib/dump_stack.c:118
 print_address_description+0x74/0x5c0 mm/kasan/report.c:374
 __kasan_report+0x149/0x1c0 mm/kasan/report.c:506
 kasan_report+0x26/0x50 mm/kasan/common.c:641
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
 l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730
 do_enable_set+0x660/0x900 net/bluetooth/6lowpan.c:1074
 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 2870:
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
 kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3551
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 l2cap_chan_create+0x50/0x320 net/bluetooth/l2cap_core.c:446
 chan_create net/bluetooth/6lowpan.c:640 [inline]
 bt_6lowpan_listen net/bluetooth/6lowpan.c:959 [inline]
 do_enable_set+0x6a4/0x900 net/bluetooth/6lowpan.c:1078
 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 2870:
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x10d/0x220 mm/slab.c:3757
 l2cap_chan_destroy net/bluetooth/l2cap_core.c:484 [inline]
 kref_put include/linux/kref.h:65 [inline]
 l2cap_chan_put+0x170/0x190 net/bluetooth/l2cap_core.c:498
 do_enable_set+0x66c/0x900 net/bluetooth/6lowpan.c:1075
 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff888096950000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 0 bytes inside of
 2048-byte region [ffff888096950000, ffff888096950800)
The buggy address belongs to the page:
page:ffffea00025a5400 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00027d1548 ffffea0002397808 ffff8880aa400e00
raw: 0000000000000000 ffff888096950000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809694ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88809694ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888096950000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888096950080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888096950100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Reported-by: syzbot+96414aa0033c363d8458@syzkaller.appspotmail.com
Signed-off-by: Lihong Kou <koulihong@huawei.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
 		2020-06-23 14:30:07 +02:00
..
6lowpan
9p 9pnet: allow making incomplete read requests 2020-03-27 09:29:56 +00:00
802 net: 802: psnap.c: Use built-in RCU list checking 2020-02-24 13:02:53 -08:00
8021q netpoll: accept NULL np argument in netpoll_send_skb() 2020-05-07 18:11:07 -07:00
appletalk ipv4,appletalk: move SIOCADDRT and SIOCDELRT handling into ->compat_ioctl 2020-05-18 17:35:02 -07:00
atm atm: switch do_atmif_sioc() to direct use of atm_dev_ioctl() 2020-05-20 20:31:36 -04:00
ax25 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-24 13:47:27 -07:00
batman-adv This cleanup patchset includes the following patches: 2020-05-26 15:19:29 -07:00
bluetooth Bluetooth: add a mutex lock to avoid UAF in do_enale_set 2020-06-23 14:30:07 +02:00
bpf bpf: Fix too large copy from user in bpf_test_init 2020-05-19 17:56:34 +02:00
bpfilter SPDX patches for 5.7-rc1. 2020-04-03 13:12:26 -07:00
bridge bridge: mrp: Add support for role MRA 2020-06-01 11:56:11 -07:00
caif net: caif: Fix use correct return type for ndo_start_xmit() 2020-04-30 12:13:07 -07:00
can can: j1939: j1939_sk_bind(): take priv after lock is held 2019-12-08 11:52:02 +01:00
ceph Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-31 17:48:46 -07:00
core bpf: Add csum_level helper for fixing up csum levels 2020-06-02 11:50:23 -07:00
dcb
dccp ipv6: move SIOCADDRT and SIOCDELRT handling into ->compat_ioctl 2020-05-18 17:35:02 -07:00
decnet Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2020-05-01 17:02:27 -07:00
dns_resolver docs: networking: convert dns_resolver.txt to ReST 2020-04-28 14:39:46 -07:00
dsa Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-31 17:48:46 -07:00
ethernet net: move devres helpers into a separate source file 2020-05-23 16:56:17 -07:00
ethtool net: ethtool: cabletest: Make ethnl_act_cable_test_tdr_cfg static 2020-05-29 17:28:30 -07:00
hsr hsr: remove WARN_ONCE() in hsr_fill_frame_info() 2020-05-07 17:40:02 -07:00
ieee802154 ieee802154: 6lowpan: remove unnecessary comparison 2020-05-08 22:25:10 -07:00
ife
ipv4 net: Make locking in sock_bindtoindex optional 2020-06-01 14:57:14 -07:00
ipv6 Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2020-06-01 15:53:08 -07:00
iucv net/af_iucv: clean up function prototypes 2020-05-19 12:50:14 -07:00
kcm net: kcm: kcmproc.c: Fix RCU list suspicious usage warning 2020-03-16 17:14:02 -07:00
key
l2tp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-31 17:48:46 -07:00
l3mdev
lapb docs: networking: convert lapb-module.txt to ReST 2020-04-30 12:56:35 -07:00
llc af_llc: fix if-statement empty body warning 2020-02-26 20:38:13 -08:00
mac80211 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-31 17:48:46 -07:00
mac802154
mpls net: Make mpls_entry_encode() available for generic users 2020-05-29 21:20:20 -07:00
mptcp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-31 17:48:46 -07:00
ncsi net/ncsi: Support for multi host mellanox card 2020-01-09 18:36:22 -08:00
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2020-06-01 11:46:30 -07:00
netlabel netlabel: cope with NULL catmap 2020-05-12 18:12:40 -07:00
netlink bpf: Enable bpf_iter targets registering ctx argument types 2020-05-13 12:30:50 -07:00
netrom net: partially revert dynamic lockdep key changes 2020-05-04 12:05:56 -07:00
nfc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-03-12 22:34:48 -07:00
nsh
openvswitch net: openvswitch: use div_u64() for 64-by-32 divisions 2020-04-25 20:48:21 -07:00
packet net/packet: tpacket_rcv: avoid a producer race condition 2020-03-15 00:25:25 -07:00
phonet sysctl: pass kernel pointers to ->proc_handler 2020-04-27 02:07:40 -04:00
psample net: psample: fix build error when CONFIG_INET is not enabled 2020-05-23 16:36:05 -07:00
qrtr Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-31 17:48:46 -07:00
rds tcp: add tcp_sock_set_keepcnt 2020-05-28 11:11:45 -07:00
rfkill rfkill: Fix incorrect check to avoid NULL pointer dereference 2019-12-16 10:15:49 +01:00
rose net: partially revert dynamic lockdep key changes 2020-05-04 12:05:56 -07:00
rxrpc rxrpc: add rxrpc_sock_set_min_security_level 2020-05-28 11:11:46 -07:00
sched cls_flower: remove mpls_opts_policy 2020-06-01 12:01:05 -07:00
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-31 17:48:46 -07:00
smc net/smc: pre-fetch send buffer outside of send_lock 2020-05-30 18:12:25 -07:00
strparser
sunrpc ipv6: add ip6_sock_set_recvpktinfo 2020-05-28 11:11:46 -07:00
switchdev net: switchdev: do not propagate bridge updates across bridges 2020-02-26 20:58:33 -08:00
tipc Revert "tipc: Fix potential tipc_aead refcnt leak in tipc_crypto_rcv" 2020-06-02 15:13:47 -07:00
tls bpf: Fix running sk_skb program types with ktls 2020-06-01 14:48:32 -07:00
unix net: datagram: drop 'destructor' argument from several helpers 2020-02-28 12:12:53 -08:00
vmw_vsock virtio_vsock: Fix race condition in virtio_transport_recv_pkt 2020-05-30 17:44:01 -07:00
wimax
wireless Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-31 17:48:46 -07:00
x25 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-06 22:10:13 -07:00
xdp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-31 17:48:46 -07:00
xfrm Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-31 17:48:46 -07:00
Kconfig net: ethtool: netlink: Add support for triggering a cable test 2020-05-10 12:28:41 -07:00
Makefile net: move devres helpers into a separate source file 2020-05-23 16:56:17 -07:00
compat.c switch cmsghdr_from_user_compat_to_kern() to copy_from_user() 2020-06-01 12:05:45 -07:00
devres.c net: devres: provide devm_register_netdev() 2020-05-23 16:56:17 -07:00
socket.c net: remove kernel_setsockopt 2020-05-29 13:10:39 -07:00
sysctl_net.c