| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 05 Feb 2020 05:14:11 +0800
From: kernel test robot <lkp@...el.com>
To: Manish Mandlik <mmandlik@...gle.com>
Cc: LKP <lkp@...ts.01.org>, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org, linux-bluetooth@...r.kernel.org,
Marcel Holtmann <marcel@...tmann.org>, philip.li@...el.com
Subject: 6c08fc896b ("Bluetooth: Fix refcount use-after-free issue"):
WARNING: bad unlock balance detected!
Greetings,
0day kernel testing robot got the below dmesg and the first bad commit is
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
commit 6c08fc896b60893c5d673764b0668015d76df462
Author: Manish Mandlik <mmandlik@...gle.com>
AuthorDate: Tue Jan 28 10:54:14 2020 -0800
Commit: Marcel Holtmann <marcel@...tmann.org>
CommitDate: Wed Jan 29 04:53:12 2020 +0100
Bluetooth: Fix refcount use-after-free issue
There is no lock preventing both l2cap_sock_release() and
chan->ops->close() from running at the same time.
If we consider Thread A running l2cap_chan_timeout() and Thread B running
l2cap_sock_release(), expected behavior is:
A::l2cap_chan_timeout()->l2cap_chan_close()->l2cap_sock_teardown_cb()
A::l2cap_chan_timeout()->l2cap_sock_close_cb()->l2cap_sock_kill()
B::l2cap_sock_release()->sock_orphan()
B::l2cap_sock_release()->l2cap_sock_kill()
where,
sock_orphan() clears "sk->sk_socket" and l2cap_sock_teardown_cb() marks
socket as SOCK_ZAPPED.
In l2cap_sock_kill(), there is an "if-statement" that checks if both
sock_orphan() and sock_teardown() has been run i.e. sk->sk_socket is NULL
and socket is marked as SOCK_ZAPPED. Socket is killed if the condition is
satisfied.
In the race condition, following occurs:
A::l2cap_chan_timeout()->l2cap_chan_close()->l2cap_sock_teardown_cb()
B::l2cap_sock_release()->sock_orphan()
B::l2cap_sock_release()->l2cap_sock_kill()
A::l2cap_chan_timeout()->l2cap_sock_close_cb()->l2cap_sock_kill()
In this scenario, "if-statement" is true in both B::l2cap_sock_kill() and
A::l2cap_sock_kill() and we hit "refcount: underflow; use-after-free" bug.
Similar condition occurs at other places where teardown/sock_kill is
happening:
l2cap_disconnect_rsp()->l2cap_chan_del()->l2cap_sock_teardown_cb()
l2cap_disconnect_rsp()->l2cap_sock_close_cb()->l2cap_sock_kill()
l2cap_conn_del()->l2cap_chan_del()->l2cap_sock_teardown_cb()
l2cap_conn_del()->l2cap_sock_close_cb()->l2cap_sock_kill()
l2cap_disconnect_req()->l2cap_chan_del()->l2cap_sock_teardown_cb()
l2cap_disconnect_req()->l2cap_sock_close_cb()->l2cap_sock_kill()
l2cap_sock_cleanup_listen()->l2cap_chan_close()->l2cap_sock_teardown_cb()
l2cap_sock_cleanup_listen()->l2cap_sock_kill()
Protect teardown/sock_kill and orphan/sock_kill by adding hold_lock on
l2cap channel to ensure that the socket is killed only after marked as
zapped and orphan.
Signed-off-by: Manish Mandlik <mmandlik@...gle.com>
Signed-off-by: Marcel Holtmann <marcel@...tmann.org>
151129df2f Bluetooth: SMP: Fix SALT value in some comments
6c08fc896b Bluetooth: Fix refcount use-after-free issue
+---------------------------------------------+------------+------------+
| | 151129df2f | 6c08fc896b |
+---------------------------------------------+------------+------------+
| boot_successes | 51 | 8 |
| boot_failures | 0 | 10 |
| WARNING:bad_unlock_balance_detected | 0 | 10 |
| BUG:unable_to_handle_page_fault_for_address | 0 | 10 |
| Oops:#[##] | 0 | 10 |
| EIP:print_unlock_imbalance_bug | 0 | 10 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 10 |
+---------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <lkp@...el.com>
[ 54.004083] Unable to find swap-space signature
[main] 10092 iterations. [F:7038 S:2998 HI:1021 STALLED:1]
errno out of range after doing getgid: 1024:Unknown error 1024
[ 85.817054]
[ 85.822921] =====================================
[ 85.823598] WARNING: bad unlock balance detected!
[ 85.824267] 5.5.0-rc7-01832-g6c08fc896b608 #1 Not tainted
[ 85.825061] -------------------------------------
[ 85.825784] trinity-c1/1057 is trying to release lock (
[ 85.826475] BUG: unable to handle page fault for address: 6b6b6ea7
[ 85.828073] #PF: supervisor read access in kernel mode
[ 85.828800] #PF: error_code(0x0000) - not-present page
[ 85.829694] *pde = 00000000
[ 85.830127] Oops: 0000 [#1] PREEMPT SMP
[ 85.830689] CPU: 1 PID: 1057 Comm: trinity-c1 Not tainted 5.5.0-rc7-01832-g6c08fc896b608 #1
[ 85.831841] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 85.833030] EIP: print_unlock_imbalance_bug+0x6a/0xd0
[ 85.833783] Code: 87 40 01 00 e8 97 ed ff ff 68 a4 2b 06 c2 e8 78 40 01 00 8d 83 e0 04 00 00 ff b3 b0 03 00 00 50 68 d0 2b 06 c2 e8 61 40 01 00 <8b> 57 0c 8b 07 e8 21 27 00 00 68 69 29 06 c2 e8 4d 40 01 00 83 c4
[ 85.836363] EAX: 0000002b EBX: f10581c0 ECX: 00000000 EDX: 00000282
[ 85.837253] ESI: c19589e8 EDI: 6b6b6e9b EBP: f10b3dd4 ESP: f10b3dac
[ 85.838154] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010046
[ 85.839116] CR0: 80050033 CR2: 6b6b6ea7 CR3: 024b1000 CR4: 00340690
[ 85.840001] DR0: b6cb9000 DR1: b627f000 DR2: 00000000 DR3: 00000000
[ 85.840885] DR6: fffe0ff0 DR7: 00000600
[ 85.849534] Call Trace:
[ 85.849924] lock_release+0x13c/0x3d0
[ 85.850457] ? l2cap_sock_release+0x98/0xc0
[ 85.851053] ? l2cap_sock_release+0x98/0xc0
[ 85.851627] __mutex_unlock_slowpath+0x2f/0x290
[ 85.852273] ? sk_destruct+0x47/0x50
[ 85.852807] mutex_unlock+0x10/0x20
[ 85.853277] l2cap_sock_release+0x98/0xc0
[ 85.853641] __sock_release+0x29/0xb0
[ 85.853971] sock_close+0x10/0x20
[ 85.854272] __fput+0xfe/0x1e0
[ 85.854551] ____fput+0xd/0x10
[ 85.854829] task_work_run+0x77/0xa0
[ 85.855192] do_exit+0x418/0xa30
[ 85.855492] do_group_exit+0x8f/0x90
[ 85.855848] get_signal+0x8e5/0x950
[ 85.856194] do_signal+0x1c/0xc0
[ 85.856499] ? process_cpu_nsleep+0x17/0x20
[ 85.856874] ? sys_clock_nanosleep_time32+0xc9/0x110
[ 85.857333] exit_to_usermode_loop+0x33/0xa0
[ 85.857714] do_int80_syscall_32+0xbd/0x100
[ 85.858089] entry_INT80_32+0x114/0x119
[ 85.858434] EIP: 0x809b132
[ 85.858686] Code: Bad RIP value.
[ 85.858982] EAX: fffffdfe EBX: 00000002 ECX: 00000001 EDX: 00000004
[ 85.859535] ESI: 00000004 EDI: 7e7e7e7e EBP: fffffff8 ESP: bfa85108
[ 85.860088] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000296
[ 85.860687] Modules linked in:
[ 85.860981] CR2: 000000006b6b6ea7
[ 85.861298] ---[ end trace 3165464af4bfb57a ]---
[ 85.861712] EIP: print_unlock_imbalance_bug+0x6a/0xd0
# HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start b645d5179112cd9a93922bd2c25473f9f0351dbd d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 --
git bisect bad f924b4c373687bf05c2f856598a64a3a8bfdb399 # 02:18 B 3 8 0 0 Merge 'clk/clk-amlogic' into devel-hourly-2020013022
git bisect good 0aa84350de083fda6878b3c11da2f346182684da # 02:18 G 12 0 0 0 Merge 'arm-soc/ti/k3-dt2' into devel-hourly-2020013022
git bisect bad d458e22978565e2291722cd0481be7b91aaec3a6 # 02:18 B 5 7 0 0 Merge 'peterz-queue/x86/misc' into devel-hourly-2020013022
git bisect bad 88e053051630e64efbe0acd97889ce08923f2c75 # 02:18 B 2 10 0 0 Merge 'kdave-btrfs-devel/for-next-20200129' into devel-hourly-2020013022
git bisect bad f129fc7122c73596a006176928934a0382f7f855 # 02:18 B 2 10 0 0 Merge 'bluetooth-next/master' into devel-hourly-2020013022
git bisect good 48aabbcf240c8ae6abfd139b1049f227f9817621 # 02:18 G 13 0 0 0 Merge 'iommu/x86/amd' into devel-hourly-2020013022
git bisect bad 6c08fc896b60893c5d673764b0668015d76df462 # 02:18 B 2 10 0 0 Bluetooth: Fix refcount use-after-free issue
git bisect good 151129df2f4ac29e55be6d3a7be91d0979f71a55 # 02:19 G 39 0 0 0 Bluetooth: SMP: Fix SALT value in some comments
# first bad commit: [6c08fc896b60893c5d673764b0668015d76df462] Bluetooth: Fix refcount use-after-free issue
git bisect good 151129df2f4ac29e55be6d3a7be91d0979f71a55 # 02:19 G 39 0 0 0 Bluetooth: SMP: Fix SALT value in some comments
# extra tests with debug options
# extra tests on revert first bad commit
git bisect good 983086bfa9c8bcf3bc7eb6904e7c4f5fb64dc33c # 05:13 G 14 0 1 1 Revert "Bluetooth: Fix refcount use-after-free issue"
# good: [983086bfa9c8bcf3bc7eb6904e7c4f5fb64dc33c] Revert "Bluetooth: Fix refcount use-after-free issue"
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation
Download attachment "dmesg-openwrt-vm-openwrt-36:20200131184514:i386-randconfig-e003-20200129:5.5.0-rc7-01832-g6c08fc896b608:1.gz" of type "application/gzip" (17569 bytes)
View attachment "reproduce-openwrt-vm-openwrt-36:20200131184514:i386-randconfig-e003-20200129:5.5.0-rc7-01832-g6c08fc896b608:1" of type "text/plain" (936 bytes)
Download attachment "b645d5179112cd9a93922bd2c25473f9f0351dbd:gcc-7:i386-randconfig-e003-20200129:WARNING:bad_unlock_balance_detected.xz" of type "application/x-xz" (7040 bytes)
View attachment "config-5.5.0-rc7-01832-g6c08fc896b608" of type "text/plain" (150998 bytes)
Powered by blists - more mailing lists