lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 14 Oct 2010 18:37:53 -0400
From:	Nathan Holstein <nathan.holstein@...il.com>
To:	linux-kernel@...r.kernel.org, linux-bluetooth@...r.kernel.org
Subject: [PATCH] fix oops in l2cap_connect_req

(Please keep me in the CC list, I'm not subscribed to lkml)

[1] L2CAP module dereferences an uninitialized pointer within l2cap_connect_req.

[2] I'm currently testing a 2.6.35 kernel on a Nexus One with backported
patches from bluetooth-2.6.  When testing against certain BT devices, I'm seeing
a null-pointer deref.  The crash is caused by this portion of commit e9aeb2dd:

@@ -2966,6 +2991,15 @@ sendresp:
                                        L2CAP_INFO_REQ, sizeof(info), &info);
        }

+       if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
+                               result == L2CAP_CR_SUCCESS) {
+               u8 buf[128];
+               l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
+               l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
+                                       l2cap_build_conf_req(sk, buf), buf);
+               l2cap_pi(sk)->num_conf_req++;
+       }
+
        return 0;
 }

Multiple error cases jump to the response & sendresp labels prior to
initializing
the "sk" variable.  In the case I'm currently seeing, the remote BT
device fails to
properly secure the ACL, making this crash 100% reproducible.

[3] Bluetooth, L2CAP

[4] This bug appears to be in the mainline 2.6.36-rc? kernel, in addition to
 multiple Bluetooth development trees

The following patch fixes the crash.


   --nathan

---
In error cases when the ACL is insecure or we fail to allocate a new
struct sock, we jump to the "response" label.  If so, "sk" will be
uninitialized and the kernel crashes.

Signed-off-by: Nathan Holstein <nathan.holstein@...il.com>
---
 net/bluetooth/l2cap.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index d527b10..10ae0af 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -2911,7 +2911,7 @@ static inline int l2cap_connect_req(struct
l2cap_conn *conn, struct l2cap_cmd_hd
 	struct l2cap_chan_list *list = &conn->chan_list;
 	struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
 	struct l2cap_conn_rsp rsp;
-	struct sock *parent, *uninitialized_var(sk);
+	struct sock *parent, *sk = 0;
 	int result, status = L2CAP_CS_NO_INFO;

 	u16 dcid = 0, scid = __le16_to_cpu(req->scid);
@@ -3020,7 +3020,7 @@ sendresp:
 					L2CAP_INFO_REQ, sizeof(info), &info);
 	}

-	if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
+	if (sk && !(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
 				result == L2CAP_CR_SUCCESS) {
 		u8 buf[128];
 		l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
-- 
1.7.2.3
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ