| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 3 Oct 2022 08:54:21 +0800
From: kernel test robot <lkp@...el.com>
To: Maxim Mikityanskiy <maxtram95@...il.com>,
Marcel Holtmann <marcel@...tmann.org>,
Johan Hedberg <johan.hedberg@...il.com>,
Luiz Augusto von Dentz <luiz.dentz@...il.com>
Cc: llvm@...ts.linux.dev, kbuild-all@...ts.01.org,
Mat Martineau <mathew.j.martineau@...ux.intel.com>,
Gustavo Padovan <gustavo.padovan@...labora.co.uk>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
linux-bluetooth@...r.kernel.org, netdev@...r.kernel.org,
Maxim Mikityanskiy <maxtram95@...il.com>
Subject: Re: [PATCH] Bluetooth: L2CAP: Fix use-after-free caused by
l2cap_reassemble_sdu
Hi Maxim,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on bluetooth/master]
[also build test ERROR on bluetooth-next/master mptcp/export linus/master v6.0 next-20220930]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Maxim-Mikityanskiy/Bluetooth-L2CAP-Fix-use-after-free-caused-by-l2cap_reassemble_sdu/20221003-061206
base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git master
config: arm-randconfig-r023-20221003
compiler: clang version 16.0.0 (https://github.com/llvm/llvm-project 791a7ae1ba3efd6bca96338e10ffde557ba83920)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install arm cross compiling tool for clang build
# apt-get install binutils-arm-linux-gnueabi
# https://github.com/intel-lab-lkp/linux/commit/72e1f19d6b44551bdc1bf570f9be071ad4e0284d
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Maxim-Mikityanskiy/Bluetooth-L2CAP-Fix-use-after-free-caused-by-l2cap_reassemble_sdu/20221003-061206
git checkout 72e1f19d6b44551bdc1bf570f9be071ad4e0284d
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=arm SHELL=/bin/bash net/bluetooth/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@...el.com>
All errors (new ones prefixed by >>):
>> net/bluetooth/l2cap_core.c:6889:4: error: expected expression
struct l2cap_ctrl local_control;
^
>> net/bluetooth/l2cap_core.c:6905:4: error: use of undeclared identifier 'local_control'
local_control = *control;
^
net/bluetooth/l2cap_core.c:6910:8: error: use of undeclared identifier 'local_control'
if (local_control.final) {
^
net/bluetooth/l2cap_core.c:6913:6: error: use of undeclared identifier 'local_control'
local_control.final = 0;
^
net/bluetooth/l2cap_core.c:6914:34: error: use of undeclared identifier 'local_control'; did you mean '__pack_control'?
l2cap_retransmit_all(chan, &local_control);
^~~~~~~~~~~~~
__pack_control
net/bluetooth/l2cap_core.c:1115:20: note: '__pack_control' declared here
static inline void __pack_control(struct l2cap_chan *chan,
^
5 errors generated.
vim +6889 net/bluetooth/l2cap_core.c
6874
6875 static int l2cap_rx_state_recv(struct l2cap_chan *chan,
6876 struct l2cap_ctrl *control,
6877 struct sk_buff *skb, u8 event)
6878 {
6879 int err = 0;
6880 bool skb_in_use = false;
6881
6882 BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
6883 event);
6884
6885 switch (event) {
6886 case L2CAP_EV_RECV_IFRAME:
6887 switch (l2cap_classify_txseq(chan, control->txseq)) {
6888 case L2CAP_TXSEQ_EXPECTED:
> 6889 struct l2cap_ctrl local_control;
6890
6891 l2cap_pass_to_tx(chan, control);
6892
6893 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6894 BT_DBG("Busy, discarding expected seq %d",
6895 control->txseq);
6896 break;
6897 }
6898
6899 chan->expected_tx_seq = __next_seq(chan,
6900 control->txseq);
6901
6902 chan->buffer_seq = chan->expected_tx_seq;
6903 skb_in_use = true;
6904
> 6905 local_control = *control;
6906 err = l2cap_reassemble_sdu(chan, skb, control);
6907 if (err)
6908 break;
6909
6910 if (local_control.final) {
6911 if (!test_and_clear_bit(CONN_REJ_ACT,
6912 &chan->conn_state)) {
6913 local_control.final = 0;
6914 l2cap_retransmit_all(chan, &local_control);
6915 l2cap_ertm_send(chan);
6916 }
6917 }
6918
6919 if (!test_bit(CONN_LOCAL_BUSY, &chan->conn_state))
6920 l2cap_send_ack(chan);
6921 break;
6922 case L2CAP_TXSEQ_UNEXPECTED:
6923 l2cap_pass_to_tx(chan, control);
6924
6925 /* Can't issue SREJ frames in the local busy state.
6926 * Drop this frame, it will be seen as missing
6927 * when local busy is exited.
6928 */
6929 if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
6930 BT_DBG("Busy, discarding unexpected seq %d",
6931 control->txseq);
6932 break;
6933 }
6934
6935 /* There was a gap in the sequence, so an SREJ
6936 * must be sent for each missing frame. The
6937 * current frame is stored for later use.
6938 */
6939 skb_queue_tail(&chan->srej_q, skb);
6940 skb_in_use = true;
6941 BT_DBG("Queued %p (queue len %d)", skb,
6942 skb_queue_len(&chan->srej_q));
6943
6944 clear_bit(CONN_SREJ_ACT, &chan->conn_state);
6945 l2cap_seq_list_clear(&chan->srej_list);
6946 l2cap_send_srej(chan, control->txseq);
6947
6948 chan->rx_state = L2CAP_RX_STATE_SREJ_SENT;
6949 break;
6950 case L2CAP_TXSEQ_DUPLICATE:
6951 l2cap_pass_to_tx(chan, control);
6952 break;
6953 case L2CAP_TXSEQ_INVALID_IGNORE:
6954 break;
6955 case L2CAP_TXSEQ_INVALID:
6956 default:
6957 l2cap_send_disconn_req(chan, ECONNRESET);
6958 break;
6959 }
6960 break;
6961 case L2CAP_EV_RECV_RR:
6962 l2cap_pass_to_tx(chan, control);
6963 if (control->final) {
6964 clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6965
6966 if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
6967 !__chan_is_moving(chan)) {
6968 control->final = 0;
6969 l2cap_retransmit_all(chan, control);
6970 }
6971
6972 l2cap_ertm_send(chan);
6973 } else if (control->poll) {
6974 l2cap_send_i_or_rr_or_rnr(chan);
6975 } else {
6976 if (test_and_clear_bit(CONN_REMOTE_BUSY,
6977 &chan->conn_state) &&
6978 chan->unacked_frames)
6979 __set_retrans_timer(chan);
6980
6981 l2cap_ertm_send(chan);
6982 }
6983 break;
6984 case L2CAP_EV_RECV_RNR:
6985 set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
6986 l2cap_pass_to_tx(chan, control);
6987 if (control && control->poll) {
6988 set_bit(CONN_SEND_FBIT, &chan->conn_state);
6989 l2cap_send_rr_or_rnr(chan, 0);
6990 }
6991 __clear_retrans_timer(chan);
6992 l2cap_seq_list_clear(&chan->retrans_list);
6993 break;
6994 case L2CAP_EV_RECV_REJ:
6995 l2cap_handle_rej(chan, control);
6996 break;
6997 case L2CAP_EV_RECV_SREJ:
6998 l2cap_handle_srej(chan, control);
6999 break;
7000 default:
7001 break;
7002 }
7003
7004 if (skb && !skb_in_use) {
7005 BT_DBG("Freeing %p", skb);
7006 kfree_skb(skb);
7007 }
7008
7009 return err;
7010 }
7011
--
0-DAY CI Kernel Test Service
https://01.org/lkp
View attachment "config" of type "text/plain" (139886 bytes)
Powered by blists - more mailing lists