lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <66f6cae2.050a0220.46d20.001f.GAE@google.com>
Date: Fri, 27 Sep 2024 08:10:26 -0700
From: syzbot <syzbot+ea704362ec2bbf4ddcca@...kaller.appspotmail.com>
To: johan.hedberg@...il.com, linux-bluetooth@...r.kernel.org, 
	linux-kernel@...r.kernel.org, luiz.dentz@...il.com, marcel@...tmann.org, 
	syzkaller-bugs@...glegroups.com
Subject: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in mgmt_device_connected

Hello,

syzbot found the following issue on:

HEAD commit:    df54f4a16f82 Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=1201531f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=dde5a5ba8d41ee9e
dashboard link: https://syzkaller.appspot.com/bug?extid=ea704362ec2bbf4ddcca
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/aa2eb06e0aea/disk-df54f4a1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/14728733d385/vmlinux-df54f4a1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/99816271407d/Image-df54f4a1.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ea704362ec2bbf4ddcca@...kaller.appspotmail.com

Bluetooth: Wrong link type (-22)
Bluetooth: Unknown BR/EDR signaling command 0x0f
Bluetooth: Wrong link type (-22)
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in test_and_set_bit include/asm-generic/bitops/instrumented-atomic.h:71 [inline]
BUG: KASAN: slab-use-after-free in mgmt_device_connected+0x48/0x524 net/bluetooth/mgmt.c:9650
Write of size 8 at addr ffff0000fa89c838 by task kworker/u9:2/6409

CPU: 0 UID: 0 PID: 6409 Comm: kworker/u9:2 Not tainted 6.11.0-rc5-syzkaller-gdf54f4a16f82 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci3 hci_rx_work
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:317
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:119
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x198/0x538 mm/kasan/report.c:488
 kasan_report+0xd8/0x138 mm/kasan/report.c:601
 kasan_check_range+0x268/0x2a8 mm/kasan/generic.c:189
 __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
 test_and_set_bit include/asm-generic/bitops/instrumented-atomic.h:71 [inline]
 mgmt_device_connected+0x48/0x524 net/bluetooth/mgmt.c:9650
 l2cap_connect_req net/bluetooth/l2cap_core.c:4077 [inline]
 l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline]
 l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline]
 l2cap_recv_frame+0x1324/0xc914 net/bluetooth/l2cap_core.c:6825
 l2cap_recv_acldata+0x4ac/0x15f0 net/bluetooth/l2cap_core.c:7514
 hci_acldata_packet net/bluetooth/hci_core.c:3785 [inline]
 hci_rx_work+0x2b8/0xa80 net/bluetooth/hci_core.c:4022
 process_one_work+0x79c/0x15b8 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x978/0xec4 kernel/workqueue.c:3389
 kthread+0x288/0x310 kernel/kthread.c:389
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860

Allocated by task 6409:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:565
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __kmalloc_cache_noprof+0x244/0x374 mm/slub.c:4189
 kmalloc_noprof include/linux/slab.h:681 [inline]
 kzalloc_noprof include/linux/slab.h:807 [inline]
 __hci_conn_add+0x25c/0x13cc net/bluetooth/hci_conn.c:934
 hci_conn_add_unset+0x78/0xf8 net/bluetooth/hci_conn.c:1043
 hci_conn_request_evt+0x4fc/0xb08 net/bluetooth/hci_event.c:3288
 hci_event_func net/bluetooth/hci_event.c:7446 [inline]
 hci_event_packet+0x8dc/0x106c net/bluetooth/hci_event.c:7498
 hci_rx_work+0x318/0xa80 net/bluetooth/hci_core.c:4017
 process_one_work+0x79c/0x15b8 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x978/0xec4 kernel/workqueue.c:3389
 kthread+0x288/0x310 kernel/kthread.c:389
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860

Freed by task 6412:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_free_info+0x54/0x6c mm/kasan/generic.c:579
 poison_slab_object+0x128/0x180 mm/kasan/common.c:240
 __kasan_slab_free+0x3c/0x70 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2252 [inline]
 slab_free mm/slub.c:4473 [inline]
 kfree+0x154/0x3e0 mm/slub.c:4594
 bt_link_release+0x20/0x30 net/bluetooth/hci_sysfs.c:16
 device_release+0x8c/0x1ac
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x2a8/0x41c lib/kobject.c:737
 put_device drivers/base/core.c:3790 [inline]
 device_unregister+0x3c/0xcc drivers/base/core.c:3913
 hci_conn_del_sysfs+0xf0/0x170 net/bluetooth/hci_sysfs.c:86
 hci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline]
 hci_conn_del+0x72c/0xaa0 net/bluetooth/hci_conn.c:1162
 hci_conn_failed+0x244/0x350 net/bluetooth/hci_conn.c:1266
 hci_abort_conn_sync+0x500/0xbb0 net/bluetooth/hci_sync.c:5545
 abort_conn_sync+0x224/0x25c net/bluetooth/hci_conn.c:2917
 hci_cmd_sync_work+0x1cc/0x34c net/bluetooth/hci_sync.c:328
 process_one_work+0x79c/0x15b8 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x978/0xec4 kernel/workqueue.c:3389
 kthread+0x288/0x310 kernel/kthread.c:389
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860

Last potentially related work creation:
 kasan_save_stack+0x40/0x6c mm/kasan/common.c:47
 __kasan_record_aux_stack+0xd0/0xec mm/kasan/generic.c:541
 kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:551
 insert_work+0x54/0x2d4 kernel/workqueue.c:2185
 __queue_work+0xe20/0x1308 kernel/workqueue.c:2341
 delayed_work_timer_fn+0x74/0x90 kernel/workqueue.c:2487
 call_timer_fn+0x1b4/0x8e8 kernel/time/timer.c:1792
 expire_timers kernel/time/timer.c:1838 [inline]
 __run_timers kernel/time/timer.c:2417 [inline]
 __run_timer_base+0x59c/0x7b4 kernel/time/timer.c:2428
 run_timer_base kernel/time/timer.c:2437 [inline]
 run_timer_softirq+0xcc/0x194 kernel/time/timer.c:2447
 handle_softirqs+0x2e4/0xbfc kernel/softirq.c:554
 __do_softirq+0x14/0x20 kernel/softirq.c:588

The buggy address belongs to the object at ffff0000fa89c000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 2104 bytes inside of
 freed 8192-byte region [ffff0000fa89c000, ffff0000fa89e000)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13a898
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: 0xfdffffff(slab)
raw: 05ffc00000000040 ffff0000c0002280 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000020002 00000001fdffffff 0000000000000000
head: 05ffc00000000040 ffff0000c0002280 dead000000000122 0000000000000000
head: 0000000000000000 0000000000020002 00000001fdffffff 0000000000000000
head: 05ffc00000000003 fffffdffc3ea2601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000fa89c700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000fa89c780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000fa89c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff0000fa89c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000fa89c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Unable to handle kernel paging request at virtual address dfff800000000064
KASAN: null-ptr-deref in range [0x0000000000000320-0x0000000000000327]
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff800000000064] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 UID: 0 PID: 6409 Comm: kworker/u9:2 Tainted: G    B              6.11.0-rc5-syzkaller-gdf54f4a16f82 #0
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci3 hci_rx_work
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : l2cap_send_cmd+0x484/0x770 net/bluetooth/l2cap_core.c:964
lr : l2cap_send_cmd+0x478/0x770 net/bluetooth/l2cap_core.c:964
sp : ffff8000ab0c71a0
x29: ffff8000ab0c71c0 x28: dfff800000000000 x27: ffff0000ccc2c90e
x26: ffff0000ccc2c90c x25: 0000000000000010 x24: 0000000000000000
x23: ffff0000ce726010 x22: ffff0000c8eec000 x21: 0000000000000322
x20: ffff0000c5fd7640 x19: ffff0000ce726000 x18: 1fffe00036799fe6
x17: ffff80008a4ba0fc x16: ffff800080a863f4 x15: 0000000000000001
x14: 1fffe00019985922 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000100000 x10: 0000000000032ad3 x9 : ffff800093f02100
x8 : 0000000000000064 x7 : 0000000200090000 x6 : 0000000200090000
x5 : ffff0000ccc2c918 x4 : ffff8000ab0c7888 x3 : ffff80008a4ab374
x2 : 0000000000000000 x1 : 0000000000000008 x0 : 0000000000000000
Call trace:
 l2cap_send_cmd+0x484/0x770 net/bluetooth/l2cap_core.c:964
 l2cap_connect net/bluetooth/l2cap_core.c:4034 [inline]
 l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline]
 l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline]
 l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline]
 l2cap_recv_frame+0x25c8/0xc914 net/bluetooth/l2cap_core.c:6825
 l2cap_recv_acldata+0x4ac/0x15f0 net/bluetooth/l2cap_core.c:7514
 hci_acldata_packet net/bluetooth/hci_core.c:3785 [inline]
 hci_rx_work+0x2b8/0xa80 net/bluetooth/hci_core.c:4022
 process_one_work+0x79c/0x15b8 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x978/0xec4 kernel/workqueue.c:3389
 kthread+0x288/0x310 kernel/kthread.c:389
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Code: 9769fc8a f94002a8 910c8915 d343fea8 (38fc6908) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	9769fc8a 	bl	0xfffffffffda7f228
   4:	f94002a8 	ldr	x8, [x21]
   8:	910c8915 	add	x21, x8, #0x322
   c:	d343fea8 	lsr	x8, x21, #3
* 10:	38fc6908 	ldrsb	w8, [x8, x28] <-- trapping instruction


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ