| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 Jan 2023 14:09:28 -0800
From: Luiz Augusto von Dentz <luiz.dentz@...il.com>
To: Eric Dumazet <edumazet@...gle.com>
Cc: Sungwoo Kim <iam@...g-woo.kim>, daveti@...due.edu, wuruoyu@...com,
benquike@...il.com, Marcel Holtmann <marcel@...tmann.org>,
Johan Hedberg <johan.hedberg@...il.com>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
"open list:BLUETOOTH SUBSYSTEM" <linux-bluetooth@...r.kernel.org>,
"open list:NETWORKING [GENERAL]" <netdev@...r.kernel.org>,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] L2CAP: Fix null-ptr-deref in l2cap_sock_set_shutdown_cb
Hi Kim, Eric,
On Wed, Jan 18, 2023 at 8:16 PM Eric Dumazet <edumazet@...gle.com> wrote:
>
> On Thu, Jan 19, 2023 at 2:35 AM Sungwoo Kim <iam@...g-woo.kim> wrote:
> >
> > The L2CAP socket shutdown invokes l2cap_sock_destruct without a lock
> > on conn->chan_lock, assigning NULL to chan->data *just before*
> > the l2cap_disconnect_req thread that accesses to chan->data.
>
> This is racy then ?
>
> > This patch prevent it by adding a null check for a workaround, instead
> > of fixing a lock.
>
> This would at least require some barriers I think.
>
> What about other _cb helpers also reading/using chan->data ?
Perhaps it would be a good idea to include the stack backtrace so we
can better understand it, at some point we might need to refactor or
locks to avoid circular dependencies.
> >
> > This bug is found by FuzzBT, a modified Syzkaller by Sungwoo Kim(me).
> > Ruoyu Wu(wuruoyu@...com) and Hui Peng(benquike@...il.com) has helped
> > the FuzzBT project.
> >
> > Signed-off-by: Sungwoo Kim <iam@...g-woo.kim>
>
> I would also add
>
> Fixes: 1bff51ea59a9 ("Bluetooth: fix use-after-free error in
> lock_sock_nested()")
+1
> > ---
> > net/bluetooth/l2cap_sock.c | 8 +++++---
> > 1 file changed, 5 insertions(+), 3 deletions(-)
> >
> > diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
> > index ca8f07f35..350c7afdf 100644
> > --- a/net/bluetooth/l2cap_sock.c
> > +++ b/net/bluetooth/l2cap_sock.c
> > @@ -1681,9 +1681,11 @@ static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan)
> > {
> > struct sock *sk = chan->data;
> >
>
> Other similar fixes simply do:
>
> if (!sk)
> return;
>
> I would chose to use the same coding style in net/bluetooth/l2cap_sock.c
Yep, at least l2cap_sock_close_cb and l2cap_sock_shutdown do that already.
>
> > - lock_sock(sk);
> > - sk->sk_shutdown = SHUTDOWN_MASK;
> > - release_sock(sk);
> > + if (!sk) {
> > + lock_sock(sk);
> > + sk->sk_shutdown = SHUTDOWN_MASK;
> > + release_sock(sk);
> > + }
> > }
> >
> > static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan)
> > --
> > 2.25.1
> >
--
Luiz Augusto von Dentz
Powered by blists - more mailing lists