lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 23 Aug 2020 00:16:46 +0800
From:   Coiby Xu <coiby.xu@...il.com>
To:     Dmitry Vyukov <dvyukov@...gle.com>
Cc:     syzbot <syzbot+dd768a260f7358adbaf9@...kaller.appspotmail.com>,
        abhishekpandit@...omium.org, David Miller <davem@...emloft.net>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Johan Hedberg <johan.hedberg@...il.com>,
        Jakub Kicinski <kuba@...nel.org>,
        linux-bluetooth <linux-bluetooth@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Marcel Holtmann <marcel@...tmann.org>,
        netdev <netdev@...r.kernel.org>,
        Rafael Wysocki <rafael@...nel.org>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        linux-kernel-mentees@...ts.linuxfoundation.org
Subject: Re: BUG: corrupted list in kobject_add_internal

On Thu, Aug 20, 2020 at 08:13:47AM +0200, Dmitry Vyukov wrote:
>On Thu, Aug 20, 2020 at 8:07 AM Coiby Xu <coiby.xu@...il.com> wrote:
>>
>> On Fri, Aug 07, 2020 at 09:47:20AM -0700, syzbot wrote:
>> >Hello,
>> >
>> >syzbot found the following issue on:
>> >
>> >HEAD commit:    5a30a789 Merge tag 'x86-urgent-2020-08-02' of git://git.ke..
>> >git tree:       upstream
>> >console output: https://syzkaller.appspot.com/x/log.txt?x=1660c858900000
>> >kernel config:  https://syzkaller.appspot.com/x/.config?x=c0cfcf935bcc94d2
>> >dashboard link: https://syzkaller.appspot.com/bug?extid=dd768a260f7358adbaf9
>> >compiler:       gcc (GCC) 10.1.0-syz 20200507
>> >syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14b73afc900000
>> >C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=124893a4900000
>> >
>> >The issue was bisected to:
>> >
>> >commit 4f40afc6c76451daff7d0dcfc8a3d113ccf65bfc
>> >Author: Abhishek Pandit-Subedi <abhishekpandit@...omium.org>
>> >Date:   Wed Mar 11 15:54:01 2020 +0000
>> >
>> >    Bluetooth: Handle BR/EDR devices during suspend
>> >
>> >bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=11cb1e0a900000
>> >final oops:     https://syzkaller.appspot.com/x/report.txt?x=13cb1e0a900000
>> >console output: https://syzkaller.appspot.com/x/log.txt?x=15cb1e0a900000
>> >
>> >IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> >Reported-by: syzbot+dd768a260f7358adbaf9@...kaller.appspotmail.com
>> >Fixes: 4f40afc6c764 ("Bluetooth: Handle BR/EDR devices during suspend")
>> >
>> >debugfs: Directory '200' with parent 'hci0' already present!
>> >list_add double add: new=ffff88808e9b6418, prev=ffff88808e9b6418, next=ffff8880a973ef00.
>> >------------[ cut here ]------------
>> >kernel BUG at lib/list_debug.c:29!
>> >invalid opcode: 0000 [#1] PREEMPT SMP KASAN
>> >CPU: 1 PID: 6882 Comm: kworker/u5:1 Not tainted 5.8.0-rc7-syzkaller #0
>> >Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> >Workqueue: hci0 hci_rx_work
>> >RIP: 0010:__list_add_valid.cold+0x26/0x3c lib/list_debug.c:29
>> >Code: 57 ff ff ff 4c 89 e1 48 c7 c7 20 92 93 88 e8 b1 f1 c1 fd 0f 0b 48 89 f2 4c 89 e1 48 89 ee 48 c7 c7 60 93 93 88 e8 9a f1 c1 fd <0f> 0b 48 89 f1 48 c7 c7 e0 92 93 88 4c 89 e6 e8 86 f1 c1 fd 0f 0b
>> >RSP: 0018:ffffc90001777830 EFLAGS: 00010282
>> >RAX: 0000000000000058 RBX: ffff8880a973ef00 RCX: 0000000000000000
>> >RDX: ffff888094f1c200 RSI: ffffffff815d4ef7 RDI: fffff520002eeef8
>> >RBP: ffff88808e9b6418 R08: 0000000000000058 R09: ffff8880ae7318e7
>> >R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880a973ef00
>> >R13: ffff888087315270 R14: ffff88808e9b6430 R15: ffff88808e9b6418
>> >FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
>> >CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> >CR2: 00007ffdcd6db747 CR3: 000000009ba09000 CR4: 00000000001406e0
>> >DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> >DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>> >Call Trace:
>> > __list_add include/linux/list.h:67 [inline]
>> > list_add_tail include/linux/list.h:100 [inline]
>> > kobj_kset_join lib/kobject.c:196 [inline]
>> > kobject_add_internal+0x18d/0x940 lib/kobject.c:246
>> > kobject_add_varg lib/kobject.c:390 [inline]
>> > kobject_add+0x150/0x1c0 lib/kobject.c:442
>> > device_add+0x35a/0x1be0 drivers/base/core.c:2633
>> > hci_conn_add_sysfs+0x84/0xe0 net/bluetooth/hci_sysfs.c:53
>> > hci_conn_complete_evt net/bluetooth/hci_event.c:2607 [inline]
>> > hci_event_packet+0xe0b/0x86f5 net/bluetooth/hci_event.c:6033
>> > hci_rx_work+0x22e/0xb10 net/bluetooth/hci_core.c:4705
>> > process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
>> > worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
>> > kthread+0x3b5/0x4a0 kernel/kthread.c:291
>> > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
>> >Modules linked in:
>> >---[ end trace b1bcc552c32d25e9 ]---
>> >RIP: 0010:__list_add_valid.cold+0x26/0x3c lib/list_debug.c:29
>> >Code: 57 ff ff ff 4c 89 e1 48 c7 c7 20 92 93 88 e8 b1 f1 c1 fd 0f 0b 48 89 f2 4c 89 e1 48 89 ee 48 c7 c7 60 93 93 88 e8 9a f1 c1 fd <0f> 0b 48 89 f1 48 c7 c7 e0 92 93 88 4c 89 e6 e8 86 f1 c1 fd 0f 0b
>> >RSP: 0018:ffffc90001777830 EFLAGS: 00010282
>> >RAX: 0000000000000058 RBX: ffff8880a973ef00 RCX: 0000000000000000
>> >RDX: ffff888094f1c200 RSI: ffffffff815d4ef7 RDI: fffff520002eeef8
>> >RBP: ffff88808e9b6418 R08: 0000000000000058 R09: ffff8880ae7318e7
>> >R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880a973ef00
>> >R13: ffff888087315270 R14: ffff88808e9b6430 R15: ffff88808e9b6418
>> >FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
>> >CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> >CR2: 00007ffdcd6db747 CR3: 0000000009a79000 CR4: 00000000001406e0
>> >DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> >DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>> >
>> >
>> >---
>> >This report is generated by a bot. It may contain errors.
>> >See https://goo.gl/tpsmEJ for more information about syzbot.
>> >syzbot engineers can be reached at syzkaller@...glegroups.com.
>> >
>> >syzbot will keep track of this issue. See:
>> >https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>> >For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>> >syzbot can test patches for this issue, for details see:
>> >https://goo.gl/tpsmEJ#testing-patches
>> >
>> >--
>> >You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
>> >To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@...glegroups.com.
>> >To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000c57f2d05ac4c5b8e%40google.com.
>>
>> This problem occurs because the HCI_EV_CONN_COMPLETE event packet is sent
>> twice for the same HCI connection,
>>
>>      struct hci_ev_conn_complete complete;
>>      memset(&complete, 0, sizeof(complete));
>>      complete.status = 0;
>>      complete.handle = HCI_HANDLE_1;
>>      memset(&complete.bdaddr, 0xaa, 6);
>>      *(uint8_t*)&complete.bdaddr.b[5] = 0x10;
>>      complete.link_type = ACL_LINK;
>>      complete.encr_mode = 0;
>>      hci_send_event_packet(vhci_fd, HCI_EV_CONN_COMPLETE, &complete,
>>                              sizeof(complete));
>>
>> which leads to kobject_add being called twice. Thus duplicate
>> (struct hci_conn *conn)->dev.kobj.entry is inserted into
>> (struct hci_conn *conn)->dev.kobj.kset->list.
>>
>> But if it's the HCI connection creator's responsibility to
>> not send the HCI_EV_CONN_COMPLETE event packet twice, then it's not a
>> valid bug. Or should we make the kernel more robust by defending against
>> this case?
>
>Hi Coiby,

Hi Dmitry,

>
>Whoever is sending HCI_EV_CONN_COMPLETE, this should not corrupt
>kernel memory. Even if it's firmware, it's not necessary trusted, see:
>https://www.blackhat.com/us-20/briefings/schedule/index.html#finding-new-bluetooth-low-energy-exploits-via-reverse-engineering-multiple-vendors-firmwares-19655
>and:
>https://www.armis.com/bleedingbit/
>So if an attacker takes over firmware, they can then corrupt kernel memory.

Thank you for sharing the links. Although I haven't found out how exactly
this "list_add double add" corruption would be exploited by an attacker
in the two resources or on the Internet (the closest one I can find is
CVE-2019-2215 which exploits list_del with CONFIG_DEBUG_LIST disabled),
this should be an interesting bug and I'll learn more about Bluetooth to
fix it.

--
Best regards,
Coiby

Powered by blists - more mailing lists