lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <FF91258F-2875-4569-9195-6321409DFEA6@holtmann.org>
Date:   Wed, 3 Feb 2021 14:33:32 +0100
From:   Marcel Holtmann <marcel@...tmann.org>
To:     Howard Chung <howardchung@...gle.com>
Cc:     Bluetooth Kernel Mailing List <linux-bluetooth@...r.kernel.org>,
        Miao-chen Chou <mcchou@...omium.org>,
        Manish Mandlik <mmandlik@...omium.org>,
        Archie Pusaka <apusaka@...omium.org>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Johan Hedberg <johan.hedberg@...il.com>,
        Luiz Augusto von Dentz <luiz.dentz@...il.com>,
        LKML <linux-kernel@...r.kernel.org>, netdev@...r.kernel.org
Subject: Re: [PATCH v1] Bluetooth: Fix crash in
 mgmt_add_adv_patterns_monitor_complete

Hi Howard,

> If hci_add_adv_monitor is a pending command(e.g. forward to
> msft_add_monitor_pattern), it is possible that
> mgmt_add_adv_patterns_monitor_complete gets called before
> cmd->user_data gets set, which will cause a crash when we
> try to get the moniter handle through cmd->user_data in
> mgmt_add_adv_patterns_monitor_complete.
> 
> This moves the cmd->user_data assignment earlier than
> hci_add_adv_monitor.
> 
> RIP: 0010:mgmt_add_adv_patterns_monitor_complete+0x82/0x187 [bluetooth]
> Code: 1e bf 03 00 00 00 be 52 00 00 00 4c 89 ea e8 9e
> e4 02 00 49 89 c6 48 85 c0 0f 84 06 01 00 00 48 89 5d b8 4c 89 fb 4d 8b
> 7e 30 <41> 0f b7 47 18 66 89 45 c0 45 84 e4 75 5a 4d 8b 56 28 48 8d 4d
> c8
> RSP: 0018:ffffae81807dbcb8 EFLAGS: 00010286
> RAX: ffff91c4bdf723c0 RBX: 0000000000000000 RCX: ffff91c4e5da5b80
> RDX: ffff91c405680000 RSI: 0000000000000052 RDI: ffff91c49d654c00
> RBP: ffffae81807dbd00 R08: ffff91c49fb157e0 R09: ffff91c49fb157e0
> R10: 000000000002a4f0 R11: ffffffffc0819cfd R12: 0000000000000000
> R13: ffff91c405680000 R14: ffff91c4bdf723c0 R15: 0000000000000000
> FS:  0000000000000000(0000) GS:ffff91c4ea300000(0000)
> knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000018 CR3: 0000000133612002 CR4:
> 00000000003606e0
> Call Trace:
> ? msft_le_monitor_advertisement_cb+0x111/0x141
> [bluetooth]
> hci_event_packet+0x425e/0x631c [bluetooth]
> ? printk+0x59/0x73
> ? __switch_to_asm+0x41/0x70
> ?
> msft_le_set_advertisement_filter_enable_cb+0xa6/0xa6 [bluetooth]
> ? bt_dbg+0xb4/0xbb [bluetooth]
> ? __switch_to_asm+0x41/0x70
> hci_rx_work+0x101/0x319 [bluetooth]
> process_one_work+0x257/0x506
> worker_thread+0x10d/0x284
> kthread+0x14c/0x154
> ? process_one_work+0x506/0x506
> ? kthread_blkcg+0x2c/0x2c
> ret_from_fork+0x1f/0x40
> 
> Reviewed-by: Miao-chen Chou <mcchou@...omium.org>
> Reviewed-by: Manish Mandlik <mmandlik@...omium.org>
> Reviewed-by: Archie Pusaka <apusaka@...omium.org>
> Signed-off-by: Howard Chung <howardchung@...gle.com>
> ---
> 
> net/bluetooth/mgmt.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)

patch has been applied to bluetooth-next tree.

Regards

Marcel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ