lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CABBYNZLyCzQ_RUJKUi8dpZorPjUsyCxXcZ-ScmMHWx0a86Ra5w@mail.gmail.com>
Date:   Fri, 30 Sep 2022 10:46:41 -0700
From:   Luiz Augusto von Dentz <luiz.dentz@...il.com>
To:     Sungwoo Kim <iam@...g-woo.kim>
Cc:     davem@...emloft.net, edumazet@...gle.com, johan.hedberg@...il.com,
        kuba@...nel.org, linux-bluetooth@...r.kernel.org,
        linux-kernel@...r.kernel.org, marcel@...tmann.org,
        netdev@...r.kernel.org, pabeni@...hat.com,
        syzkaller@...glegroups.com
Subject: Re: KASAN: use-after-free in __mutex_lock

Hi Kim,

On Fri, Sep 30, 2022 at 9:09 AM Sungwoo Kim <iam@...g-woo.kim> wrote:
>
> Hi Dentz,
> How about to use l2cap_get_chan_by_scid because it looks resposible to
> handle ref_cnt.
>
> Signed-off-by: Sungwoo Kim <iam@...g-woo.kim>
> ---
>  net/bluetooth/l2cap_core.c | 24 +++++++-----------------
>  1 file changed, 7 insertions(+), 17 deletions(-)
>
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index 2c9de67da..d3a074cbc 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -4291,26 +4291,18 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
>         BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
>                dcid, scid, result, status);
>
> -       mutex_lock(&conn->chan_lock);
> -
>         if (scid) {
> -               chan = __l2cap_get_chan_by_scid(conn, scid);
> -               if (!chan) {
> -                       err = -EBADSLT;
> -                       goto unlock;
> -               }
> +               chan = l2cap_get_chan_by_scid(conn, scid);
> +               if (!chan)
> +                       return -EBADSLT;
>         } else {
> -               chan = __l2cap_get_chan_by_ident(conn, cmd->ident);
> -               if (!chan) {
> -                       err = -EBADSLT;
> -                       goto unlock;
> -               }
> +               chan = l2cap_get_chan_by_ident(conn, cmd->ident);
> +               if (!chan)
> +                       return -EBADSLT;
>         }
>
>         err = 0;
>
> -       l2cap_chan_lock(chan);
> -
>         switch (result) {
>         case L2CAP_CR_SUCCESS:
>                 l2cap_state_change(chan, BT_CONFIG);
> @@ -4336,9 +4328,7 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
>         }
>
>         l2cap_chan_unlock(chan);
> -
> -unlock:
> -       mutex_unlock(&conn->chan_lock);
> +       l2cap_chan_put(chan);
>
>         return err;
>  }
> --
> 2.25.1

Ive sent a fix yesterday:

https://patchwork.kernel.org/project/bluetooth/patch/20220929203241.4140795-1-luiz.dentz@gmail.com/

Both are sorta similar but the one above end up causing less code
changes which might be easier to backport.

-- 
Luiz Augusto von Dentz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ