lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 27 Jul 2022 13:26:49 +0530
From:   Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
To:     stable@...r.kernel.org,
        Luiz Augusto von Dentz <luiz.dentz@...il.com>
Cc:     Marcel Holtmann <marcel@...tmann.org>, johan.hedberg@...il.com,
        Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>,
        harshit.m.mogalapalli@...il.com,
        Ramanan Govindarajan <ramanan.govindarajan@...cle.com>,
        linux-bluetooth@...r.kernel.org,
        LKML <linux-kernel@...r.kernel.org>,
        George Kennedy <george.kennedy@...cle.com>,
        John Donnelly <john.p.donnelly@...cle.com>
Subject: Backport request to fix a WARNING in sco_sock_sendmsg on LTS

Hi,

We have seen a WARNING message while fuzzing with syzkaller.


Kernel 5.15.54 on an x86_64

localhost login: [  104.557712] ------------[ cut here ]------------
[  104.558404] WARNING: CPU: 1 PID: 15544 at mm/page_alloc.c:5358 
__alloc_pages+0x38a/0x410
[  104.559584] Modules linked in:
[  104.560030] CPU: 1 PID: 15544 Comm: repro Not tainted 5.15.54 #1
[  104.560896] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), 
BIOS 1.11.0-2.el7 04/01/2014
[  104.562190] RIP: 0010:__alloc_pages+0x38a/0x410
[  104.562864] Code: ff 4c 89 fa 44 89 f6 89 ef 89 6c 24 48 c6 44 24 78 
00 4c 89 6c 24 60 e8 c4 e5 ff ff 49 89 c4 e9 43 fe ff ff 40 80 e5 3f eb 
c5 <0f> 0b eb a5 4c 89 e7 44 89 f6 45 31 e4 e8 c4 9f ff ff e9 4a fe ff
[  104.565421] RSP: 0018:ffff88801b4577f0 EFLAGS: 00010246
[  104.566182] RAX: 0000000000000000 RBX: 1ffff1100368aeff RCX: 
dffffc0000000000
[  104.567177] RDX: 0000000000000000 RSI: 0000000000000012 RDI: 
0000000000040cc0
[  104.568185] RBP: 0000000000000000 R08: 0000000000000000 R09: 
0000000000000000
[  104.569196] R10: fffffff900000000 R11: 0000000000000001 R12: 
0000000000000001
[  104.570194] R13: 0000000000000000 R14: 0000000000000000 R15: 
0000000000000000
[  104.571201] FS:  00007fda701c7740(0000) GS:ffff888107080000(0000) 
knlGS:0000000000000000
[  104.572330] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  104.573146] CR2: 0000000020004640 CR3: 0000000020c34000 CR4: 
00000000000006e0
[  104.574149] Call Trace:
[  104.574503]  <TASK>
[  104.574838]  ? __sanitizer_cov_trace_cmp4+0x25/0x90
[  104.575535]  ? __alloc_pages_slowpath.constprop.0+0x16c0/0x16c0
[  104.576391]  ? bpf_ksym_find+0x171/0x1c0
[  104.576985]  ? selinux_socket_sendmsg+0x207/0x2d0
[  104.577938]  ? __sanitizer_cov_trace_const_cmp8+0x27/0x90
[  104.578739]  alloc_pages+0x191/0x3f0
[  104.579258]  kmalloc_order+0x34/0xb0
[  104.579794]  kmalloc_order_trace+0x19/0xa0
[  104.580375]  sco_sock_sendmsg+0x10f/0x300
[  104.581228]  ? security_socket_sendmsg+0x8e/0xc0


I have attached the report and the reproducer. A similar warning is seen
on some testing previously.

Ref: 
https://lore.kernel.org/linux-mm/812dab5c-845d-df58-2752-abea7c07890@google.com/

Commit: 99c23da0eed4 ("Bluetooth: sco: Fix lock_sock() blockage by
memcpy_from_msg()") is backported to LTS. So we have this bug on LTS
branches.

The Fix commit is not backported to LTS.
Commit: 0771cbb3b97d ("Bluetooth: SCO: Replace use of memcpy_from_msg
with bt_skb_sendmsg")

I have tried backporting onto LTS locally.

Can you please backport the following commits to these branches.
4.14.y, 4.19.y, 5.4.y, 5.10.y, 5.15.y LTS. (applying from 1 to 7)

1. commit 38f64f650dc0e44c146ff88d15a7339efa325918 upstream
	("Bluetooth: Add bt_skb_sendmsg helper")
2. commit 97e4e80299844bb5f6ce5a7540742ffbffae3d97 upstream
	("Bluetooth: Add bt_skb_sendmmsg helper")
3. commit 0771cbb3b97d3c1d68eecd7f00055f599954c34e upstream
	("Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg")
4. commit 81be03e026dc0c16dc1c64e088b2a53b73caa895 upstream
	("Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg")
5. commit 266191aa8d14b84958aaeb5e96ee4e97839e3d87 upstream
	("Bluetooth: Fix passing NULL to PTR_ERR")
6. commit 037ce005af6b8a3e40ee07c6e9266c8997e6a4d6 upstream
	("Bluetooth: SCO: Fix sco_send_frame returning
skb->len")
7. commit 29fb608396d6a62c1b85acc421ad7a4399085b9f upstream
	("Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks")


Notes:
3 is the fix for the WARNING.
1,2 are prerequisites for applying 3. At this stage the WARNING is fixed.
4,5,6,7 are necessary as they are fixing newly introduced commits by us.

This is a clean cherry-pick series(7 commits) on all mentioned 
branches(LTS 4.14->5.15)

I have tested all mentioned LTS branches with the reproducer(only) and 
the WARNING is fixed after applying these 7 patches.

Please correct me if I am missing something.


Thanks,
Harshit
View attachment "reproducer.cprog" of type "text/plain" (34614 bytes)

View attachment "reportsyz.txt" of type "text/plain" (4023 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ