lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20230428172721.56267-1-kuniyu@amazon.com>
Date:   Fri, 28 Apr 2023 10:27:21 -0700
From:   Kuniyuki Iwashima <kuniyu@...zon.com>
To:     <stephen@...workplumber.org>
CC:     <johan.hedberg@...il.com>, <linux-bluetooth@...r.kernel.org>,
        <luiz.dentz@...il.com>, <marcel@...tmann.org>,
        <netdev@...r.kernel.org>, <kuniyu@...zon.com>
Subject: Re: Fw: [Bug 217383] New: Bluetooth: L2CAP: possible data race in __sco_sock_close()

From:   Stephen Hemminger <stephen@...workplumber.org>
Date:   Fri, 28 Apr 2023 08:52:39 -0700
> Begin forwarded message:
> 
> Date: Fri, 28 Apr 2023 10:22:28 +0000
> From: bugzilla-daemon@...nel.org
> To: stephen@...workplumber.org
> Subject: [Bug 217383] New: Bluetooth: L2CAP: possible data race in __sco_sock_close()
> 
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=217383
> 
>             Bug ID: 217383
>            Summary: Bluetooth: L2CAP: possible data race in
>                     __sco_sock_close()
>            Product: Networking
>            Version: 2.5
>           Hardware: All
>                 OS: Linux
>             Status: NEW
>           Severity: normal
>           Priority: P3
>          Component: Other
>           Assignee: stephen@...workplumber.org
>           Reporter: islituo@...il.com
>         Regression: No
> 
> Our static analysis tool finds a possible data race in the l2cap protocol
> in Linux 6.3.0-rc7:
> 
> In most calling contexts, the variable sk->sk_socket is accessed
> with holding the lock sk->sk_callback_lock. Here is an example:
> 
>   l2cap_sock_accept() --> Line 346 in net/bluetooth/l2cap_sock.c
>       bt_accept_dequeue() --> Line 368 in net/bluetooth/l2cap_sock.c
>           sock_graft() --> Line 240 in net/bluetooth/af_bluetooth.c
>               write_lock_bh(&sk->sk_callback_lock); --> Line 2081 in
> include/net/sock.h (Lock sk->sk_callback_lock)
>               sk_set_socket() --> Line 2084 in include/net/sock.h
>                   sk->sk_socket = sock; --> Line 2054 in include/net/sock.h
> (Access sk->sk_socket)
> 
> However, in the following calling context:
> 
>   sco_sock_shutdown() --> Line 1227 in net/bluetooth/sco.c
>       __sco_sock_close() --> Line 1243 in net/bluetooth/sco.c
>           BT_DBG(..., sk->sk_socket); --> Line 431 in net/bluetooth/sco.c
> (Access sk->sk_socket)

Those two sockets have different proto, BTPROTO_L2CAP and BTPROTO_SCO.
Also, we cannot shutdown() for not-yet-accepted socket, and both
l2cap_sock_accept() and sco_sock_shutdown() take lock_sock().


> 
> the variable sk->sk_socket is accessed without holding the lock
> sk->sk_callback_lock, and thus a data race may occur.
> 
> Reported-by: BassCheck <bass@...a.edu.cn>
> 
> -- 
> You may reply to this email to add a comment.
> 
> You are receiving this mail because:
> You are the assignee for the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ