lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1287171320.3316.62.camel@aeonflux>
Date:	Fri, 15 Oct 2010 22:35:20 +0300
From:	Marcel Holtmann <marcel@...tmann.org>
To:	Nathan Holstein <nathan.holstein@...il.com>
Cc:	"Gustavo F. Padovan" <padovan@...fusion.mobi>,
	linux-kernel@...r.kernel.org, linux-bluetooth@...r.kernel.org
Subject: Re: [PATCH] fix oops in l2cap_connect_req

Hi Nathan,

> > * Nathan Holstein <nathan.holstein@...il.com> [2010-10-14 18:37:53 -0400]:
> >
> >> (Please keep me in the CC list, I'm not subscribed to lkml)
> >>
> >> [1] L2CAP module dereferences an uninitialized pointer within l2cap_connect_req.
> >>
> >> [2] I'm currently testing a 2.6.35 kernel on a Nexus One with backported
> >> patches from bluetooth-2.6.  When testing against certain BT devices, I'm seeing
> >> a null-pointer deref.  The crash is caused by this portion of commit e9aeb2dd:
> >>
> >> @@ -2966,6 +2991,15 @@ sendresp:
> >>                                         L2CAP_INFO_REQ, sizeof(info), &info);
> >>         }
> >>
> >> +       if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
> >> +                               result == L2CAP_CR_SUCCESS) {
> >> +               u8 buf[128];
> >> +               l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
> >> +               l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
> >> +                                       l2cap_build_conf_req(sk, buf), buf);
> >> +               l2cap_pi(sk)->num_conf_req++;
> >> +       }
> >> +
> >>         return 0;
> >>  }
> >>
> >> Multiple error cases jump to the response & sendresp labels prior to
> >> initializing
> >> the "sk" variable.  In the case I'm currently seeing, the remote BT
> >> device fails to
> >> properly secure the ACL, making this crash 100% reproducible.
> >>
> >> [3] Bluetooth, L2CAP
> >>
> >> [4] This bug appears to be in the mainline 2.6.36-rc? kernel, in addition to
> >>  multiple Bluetooth development trees
> >>
> >> The following patch fixes the crash.
> >>
> >>
> >>    --nathan

please send new patches with [PATCH v2] prefix to make it easier for
Gustavo to keep track.

> >> In error cases when the ACL is insecure or we fail to allocate a new
> >> struct sock, we jump to the "response" label.  If so, "sk" will be
> >> uninitialized and the kernel crashes.
> >>
> >> Signed-off-by: Nathan Holstein <nathan.holstein@...il.com>

Acked-by: Marcel Holtmann <marcel@...tmann.org>

Regards

Marcel


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ