lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 22 May 2012 11:50:29 +0900
From:	Minho Ban <mhban@...sung.com>
To:	Gustavo Padovan <gustavo@...ovan.org>,
	Marcel Holtmann <marcel@...tmann.org>,
	Johan Hedberg <johan.hedberg@...il.com>,
	"David S. Miller" <davem@...emloft.net>,
	linux-bluetooth@...r.kernel.org, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [RFC/PATCH] Bluetooth: prevent double l2cap_chan_destroy

On 05/22/2012 01:21 AM, Gustavo Padovan wrote:
> Hi Minho,
> 
> * Minho Ban <mhban@...sung.com> [2012-05-21 09:56:40 +0900]:
> 
>> l2cap_sock_kill can be called in l2cap_sock_release and l2cap_sock_close_cb
>> either. This lead l2cap_chan_destroy to be called twice for same channel.
>> To prevent double list_del and double chan_put, chan_destroy should be protected
>> with chan->refcnt and chan_list_lock so that reentrance could be forbidden.
> 
> Even if l2cap_sock_kill() is called twice it will call l2cap_chan_destroy()
> only once. If this is not happening we just have a broken piece of code
> somewhere else and not here.
> 
> 	Gustavo
> 

Thanks for comment but I could not found any suitable code in l2cap_sock_kill that 
can make l2cap_chan_destroy to be called just once. sock flag test is not enough to 
do it.

I agree this path should not be the fix. Testing chan->refcnt is nonsense because 
chan might have been freed already. So I looked for another point,

@@ -1343,10 +1343,10 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
                l2cap_chan_lock(chan);
 
                l2cap_chan_del(chan, err);
+               chan->ops->close(chan->data);
 
                l2cap_chan_unlock(chan);
 
-               chan->ops->close(chan->data);
                l2cap_chan_put(chan);
        }

close callback must locate within chan_lock unless it can be scheduled to other thread 
which may wait for chan_lock in l2cap_sock_shutdown and this lead to duplicate sock_kill.

 static void l2cap_sock_kill(struct sock *sk)
 {
-       if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
+       if (!sock_flag(sk, SOCK_ZAPPED) || sock_flag(sk, SOCK_DEAD) ||
+                       sk->sk_socket)
                return;
 
        BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));

Duplicate sock_kill may happen anyway, need test SOCK_DEAD if chan_destroy is already called.

Regards,
Minho Ban
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ