lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <5A513494-AAFC-4AF6-9A0E-9271971A67C2@holtmann.org>
Date:   Thu, 25 Jul 2019 15:04:09 +0200
From:   Marcel Holtmann <marcel@...tmann.org>
To:     Dmitry Vyukov <dvyukov@...gle.com>
Cc:     Johan Hedberg <johan.hedberg@...il.com>,
        linux-bluetooth <linux-bluetooth@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        syzbot <syzbot+0abbda0523882250a97a@...kaller.appspotmail.com>
Subject: Re: KASAN: use-after-free Read in h5_rx_3wire_hdr

Hi Dmitry,

>>>>>> syzbot found the following crash on:
>>>>>> 
>>>>>> HEAD commit:    6d21a41b Add linux-next specific files for 20190718
>>>>>> git tree:       linux-next
>>>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=1377958fa00000
>>>>>> kernel config:  https://syzkaller.appspot.com/x/.config?x=3430a151e1452331
>>>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=0abbda0523882250a97a
>>>>>> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
>>>>>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=113e2bb7a00000
>>>>> 
>>>>> +drivers/bluetooth/hci_h5.c maintainers
>>>>> 
>>>>>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>>>>>> Reported-by: syzbot+0abbda0523882250a97a@...kaller.appspotmail.com
>>>>>> 
>>>>>> ==================================================================
>>>>>> BUG: KASAN: use-after-free in h5_rx_3wire_hdr+0x35d/0x3c0
>>>>>> /drivers/bluetooth/hci_h5.c:438
>>>>>> Read of size 1 at addr ffff8880a161d1c8 by task syz-executor.4/12040
>>>>>> 
>>>>>> CPU: 1 PID: 12040 Comm: syz-executor.4 Not tainted 5.2.0-next-20190718 #41
>>>>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>>>>>> Google 01/01/2011
>>>>>> Call Trace:
>>>>>> __dump_stack /lib/dump_stack.c:77 [inline]
>>>>>> dump_stack+0x172/0x1f0 /lib/dump_stack.c:113
>>>>>> print_address_description.cold+0xd4/0x306 /mm/kasan/report.c:351
>>>>>> __kasan_report.cold+0x1b/0x36 /mm/kasan/report.c:482
>>>>>> kasan_report+0x12/0x17 /mm/kasan/common.c:612
>>>>>> __asan_report_load1_noabort+0x14/0x20 /mm/kasan/generic_report.c:129
>>>>>> h5_rx_3wire_hdr+0x35d/0x3c0 /drivers/bluetooth/hci_h5.c:438
>>>>>> h5_recv+0x32f/0x500 /drivers/bluetooth/hci_h5.c:563
>>>>>> hci_uart_tty_receive+0x279/0x790 /drivers/bluetooth/hci_ldisc.c:600
>>>>>> tiocsti /drivers/tty/tty_io.c:2197 [inline]
>>>>>> tty_ioctl+0x949/0x14f0 /drivers/tty/tty_io.c:2573
>>>>>> vfs_ioctl /fs/ioctl.c:46 [inline]
>>>>>> file_ioctl /fs/ioctl.c:509 [inline]
>>>>>> do_vfs_ioctl+0xdb6/0x13e0 /fs/ioctl.c:696
>>>>>> ksys_ioctl+0xab/0xd0 /fs/ioctl.c:713
>>>>>> __do_sys_ioctl /fs/ioctl.c:720 [inline]
>>>>>> __se_sys_ioctl /fs/ioctl.c:718 [inline]
>>>>>> __x64_sys_ioctl+0x73/0xb0 /fs/ioctl.c:718
>>>>>> do_syscall_64+0xfd/0x6a0 /arch/x86/entry/common.c:296
>>>>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>>> RIP: 0033:0x459819
>>>>>> Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
>>>>>> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
>>>>>> ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
>>>>>> RSP: 002b:00007f7a3b459c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
>>>>>> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459819
>>>>>> RDX: 0000000020000080 RSI: 0000000000005412 RDI: 0000000000000003
>>>>>> RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
>>>>>> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7a3b45a6d4
>>>>>> R13: 00000000004c408a R14: 00000000004d7ff0 R15: 00000000ffffffff
>>>> 
>>>> Is this happening on specific hardware?
>>> 
>>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> 
>> funny ;)
>> 
>> I meant the Bluetooth chip on this machine.
> 
> I don't think there are any Bluetooth chips exposed in GCE VMs. I
> would expect that this bug does not require any hardware to trigger.

then this might be also the same bug as the other missing drivers->ops checking. See https://lore.kernel.org/linux-bluetooth/2E234F47-724D-4CFB-93B5-48E5BDA6F230@holtmann.org/ for a proposed patch. However I have the feeling that hci_h5.c needs to be added to this as well.

Regards

Marcel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ