lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 14 Oct 2010 18:37:10 -0300
From:	"Gustavo F. Padovan" <padovan@...fusion.mobi>
To:	Nathan Holstein <nathan.holstein@...il.com>
Cc:	linux-kernel@...r.kernel.org, linux-bluetooth@...r.kernel.org
Subject: Re: [PATCH] fix oops in l2cap_connect_req

Hi Nathan,

* Nathan Holstein <nathan.holstein@...il.com> [2010-10-14 18:37:53 -0400]:

> (Please keep me in the CC list, I'm not subscribed to lkml)
> 
> [1] L2CAP module dereferences an uninitialized pointer within l2cap_connect_req.
> 
> [2] I'm currently testing a 2.6.35 kernel on a Nexus One with backported
> patches from bluetooth-2.6.  When testing against certain BT devices, I'm seeing
> a null-pointer deref.  The crash is caused by this portion of commit e9aeb2dd:
> 
> @@ -2966,6 +2991,15 @@ sendresp:
>                                         L2CAP_INFO_REQ, sizeof(info), &info);
>         }
> 
> +       if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
> +                               result == L2CAP_CR_SUCCESS) {
> +               u8 buf[128];
> +               l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
> +               l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
> +                                       l2cap_build_conf_req(sk, buf), buf);
> +               l2cap_pi(sk)->num_conf_req++;
> +       }
> +
>         return 0;
>  }
> 
> Multiple error cases jump to the response & sendresp labels prior to
> initializing
> the "sk" variable.  In the case I'm currently seeing, the remote BT
> device fails to
> properly secure the ACL, making this crash 100% reproducible.
> 
> [3] Bluetooth, L2CAP
> 
> [4] This bug appears to be in the mainline 2.6.36-rc? kernel, in addition to
>  multiple Bluetooth development trees
> 
> The following patch fixes the crash.
> 
> 
>    --nathan
> 
> ---
> In error cases when the ACL is insecure or we fail to allocate a new
> struct sock, we jump to the "response" label.  If so, "sk" will be
> uninitialized and the kernel crashes.
> 
> Signed-off-by: Nathan Holstein <nathan.holstein@...il.com>
> ---
>  net/bluetooth/l2cap.c |    4 ++--
>  1 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
> index d527b10..10ae0af 100644
> --- a/net/bluetooth/l2cap.c
> +++ b/net/bluetooth/l2cap.c
> @@ -2911,7 +2911,7 @@ static inline int l2cap_connect_req(struct
> l2cap_conn *conn, struct l2cap_cmd_hd
>  	struct l2cap_chan_list *list = &conn->chan_list;
>  	struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
>  	struct l2cap_conn_rsp rsp;
> -	struct sock *parent, *uninitialized_var(sk);
> +	struct sock *parent, *sk = 0;

Your fix is right, but please make *sk = NULL here.
When I wrote that code I thought is was a false positive, but no, it's
bug. :(


-- 
Gustavo F. Padovan
ProFUSION embedded systems - http://profusion.mobi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ