lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+ZcU11Y0OrxsdKcwqAmJ2BmnP9pCYB1gtiBgciM0+H=cA@mail.gmail.com>
Date:   Thu, 20 Aug 2020 08:13:47 +0200
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Coiby Xu <coiby.xu@...il.com>
Cc:     syzbot <syzbot+dd768a260f7358adbaf9@...kaller.appspotmail.com>,
        abhishekpandit@...omium.org, David Miller <davem@...emloft.net>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Johan Hedberg <johan.hedberg@...il.com>,
        Jakub Kicinski <kuba@...nel.org>,
        linux-bluetooth <linux-bluetooth@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Marcel Holtmann <marcel@...tmann.org>,
        netdev <netdev@...r.kernel.org>,
        Rafael Wysocki <rafael@...nel.org>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        linux-kernel-mentees@...ts.linuxfoundation.org
Subject: Re: BUG: corrupted list in kobject_add_internal

On Thu, Aug 20, 2020 at 8:07 AM Coiby Xu <coiby.xu@...il.com> wrote:
>
> On Fri, Aug 07, 2020 at 09:47:20AM -0700, syzbot wrote:
> >Hello,
> >
> >syzbot found the following issue on:
> >
> >HEAD commit:    5a30a789 Merge tag 'x86-urgent-2020-08-02' of git://git.ke..
> >git tree:       upstream
> >console output: https://syzkaller.appspot.com/x/log.txt?x=1660c858900000
> >kernel config:  https://syzkaller.appspot.com/x/.config?x=c0cfcf935bcc94d2
> >dashboard link: https://syzkaller.appspot.com/bug?extid=dd768a260f7358adbaf9
> >compiler:       gcc (GCC) 10.1.0-syz 20200507
> >syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14b73afc900000
> >C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=124893a4900000
> >
> >The issue was bisected to:
> >
> >commit 4f40afc6c76451daff7d0dcfc8a3d113ccf65bfc
> >Author: Abhishek Pandit-Subedi <abhishekpandit@...omium.org>
> >Date:   Wed Mar 11 15:54:01 2020 +0000
> >
> >    Bluetooth: Handle BR/EDR devices during suspend
> >
> >bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=11cb1e0a900000
> >final oops:     https://syzkaller.appspot.com/x/report.txt?x=13cb1e0a900000
> >console output: https://syzkaller.appspot.com/x/log.txt?x=15cb1e0a900000
> >
> >IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >Reported-by: syzbot+dd768a260f7358adbaf9@...kaller.appspotmail.com
> >Fixes: 4f40afc6c764 ("Bluetooth: Handle BR/EDR devices during suspend")
> >
> >debugfs: Directory '200' with parent 'hci0' already present!
> >list_add double add: new=ffff88808e9b6418, prev=ffff88808e9b6418, next=ffff8880a973ef00.
> >------------[ cut here ]------------
> >kernel BUG at lib/list_debug.c:29!
> >invalid opcode: 0000 [#1] PREEMPT SMP KASAN
> >CPU: 1 PID: 6882 Comm: kworker/u5:1 Not tainted 5.8.0-rc7-syzkaller #0
> >Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> >Workqueue: hci0 hci_rx_work
> >RIP: 0010:__list_add_valid.cold+0x26/0x3c lib/list_debug.c:29
> >Code: 57 ff ff ff 4c 89 e1 48 c7 c7 20 92 93 88 e8 b1 f1 c1 fd 0f 0b 48 89 f2 4c 89 e1 48 89 ee 48 c7 c7 60 93 93 88 e8 9a f1 c1 fd <0f> 0b 48 89 f1 48 c7 c7 e0 92 93 88 4c 89 e6 e8 86 f1 c1 fd 0f 0b
> >RSP: 0018:ffffc90001777830 EFLAGS: 00010282
> >RAX: 0000000000000058 RBX: ffff8880a973ef00 RCX: 0000000000000000
> >RDX: ffff888094f1c200 RSI: ffffffff815d4ef7 RDI: fffff520002eeef8
> >RBP: ffff88808e9b6418 R08: 0000000000000058 R09: ffff8880ae7318e7
> >R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880a973ef00
> >R13: ffff888087315270 R14: ffff88808e9b6430 R15: ffff88808e9b6418
> >FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
> >CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >CR2: 00007ffdcd6db747 CR3: 000000009ba09000 CR4: 00000000001406e0
> >DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> >DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> >Call Trace:
> > __list_add include/linux/list.h:67 [inline]
> > list_add_tail include/linux/list.h:100 [inline]
> > kobj_kset_join lib/kobject.c:196 [inline]
> > kobject_add_internal+0x18d/0x940 lib/kobject.c:246
> > kobject_add_varg lib/kobject.c:390 [inline]
> > kobject_add+0x150/0x1c0 lib/kobject.c:442
> > device_add+0x35a/0x1be0 drivers/base/core.c:2633
> > hci_conn_add_sysfs+0x84/0xe0 net/bluetooth/hci_sysfs.c:53
> > hci_conn_complete_evt net/bluetooth/hci_event.c:2607 [inline]
> > hci_event_packet+0xe0b/0x86f5 net/bluetooth/hci_event.c:6033
> > hci_rx_work+0x22e/0xb10 net/bluetooth/hci_core.c:4705
> > process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
> > worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
> > kthread+0x3b5/0x4a0 kernel/kthread.c:291
> > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
> >Modules linked in:
> >---[ end trace b1bcc552c32d25e9 ]---
> >RIP: 0010:__list_add_valid.cold+0x26/0x3c lib/list_debug.c:29
> >Code: 57 ff ff ff 4c 89 e1 48 c7 c7 20 92 93 88 e8 b1 f1 c1 fd 0f 0b 48 89 f2 4c 89 e1 48 89 ee 48 c7 c7 60 93 93 88 e8 9a f1 c1 fd <0f> 0b 48 89 f1 48 c7 c7 e0 92 93 88 4c 89 e6 e8 86 f1 c1 fd 0f 0b
> >RSP: 0018:ffffc90001777830 EFLAGS: 00010282
> >RAX: 0000000000000058 RBX: ffff8880a973ef00 RCX: 0000000000000000
> >RDX: ffff888094f1c200 RSI: ffffffff815d4ef7 RDI: fffff520002eeef8
> >RBP: ffff88808e9b6418 R08: 0000000000000058 R09: ffff8880ae7318e7
> >R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880a973ef00
> >R13: ffff888087315270 R14: ffff88808e9b6430 R15: ffff88808e9b6418
> >FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
> >CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >CR2: 00007ffdcd6db747 CR3: 0000000009a79000 CR4: 00000000001406e0
> >DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> >DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> >
> >
> >---
> >This report is generated by a bot. It may contain errors.
> >See https://goo.gl/tpsmEJ for more information about syzbot.
> >syzbot engineers can be reached at syzkaller@...glegroups.com.
> >
> >syzbot will keep track of this issue. See:
> >https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> >For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> >syzbot can test patches for this issue, for details see:
> >https://goo.gl/tpsmEJ#testing-patches
> >
> >--
> >You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> >To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@...glegroups.com.
> >To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000c57f2d05ac4c5b8e%40google.com.
>
> This problem occurs because the HCI_EV_CONN_COMPLETE event packet is sent
> twice for the same HCI connection,
>
>      struct hci_ev_conn_complete complete;
>      memset(&complete, 0, sizeof(complete));
>      complete.status = 0;
>      complete.handle = HCI_HANDLE_1;
>      memset(&complete.bdaddr, 0xaa, 6);
>      *(uint8_t*)&complete.bdaddr.b[5] = 0x10;
>      complete.link_type = ACL_LINK;
>      complete.encr_mode = 0;
>      hci_send_event_packet(vhci_fd, HCI_EV_CONN_COMPLETE, &complete,
>                              sizeof(complete));
>
> which leads to kobject_add being called twice. Thus duplicate
> (struct hci_conn *conn)->dev.kobj.entry is inserted into
> (struct hci_conn *conn)->dev.kobj.kset->list.
>
> But if it's the HCI connection creator's responsibility to
> not send the HCI_EV_CONN_COMPLETE event packet twice, then it's not a
> valid bug. Or should we make the kernel more robust by defending against
> this case?

Hi Coiby,

Whoever is sending HCI_EV_CONN_COMPLETE, this should not corrupt
kernel memory. Even if it's firmware, it's not necessary trusted, see:
https://www.blackhat.com/us-20/briefings/schedule/index.html#finding-new-bluetooth-low-energy-exploits-via-reverse-engineering-multiple-vendors-firmwares-19655
and:
https://www.armis.com/bleedingbit/
So if an attacker takes over firmware, they can then corrupt kernel memory.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ