> Hi,
>
> ma, 2023-10-09 kello 20:30 +0800, Ziyang Xuan kirjoitti:
>> Syzbot reports a UAF problem as follows:
>>
>> BUG: KASAN: slab-use-after-free in hci_send_acl+0x48/0xe70 net/bluetooth/hci_core.c:3231
>> ...
>> Call Trace:
>> <TASK>
>> __dump_stack lib/dump_stack.c:88 [inline]
>> dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
>> print_address_description mm/kasan/report.c:364 [inline]
>> print_report+0x163/0x540 mm/kasan/report.c:475
>> kasan_report+0x175/0x1b0 mm/kasan/report.c:588
>> hci_send_acl+0x48/0xe70 net/bluetooth/hci_core.c:3231
>> l2cap_send_conn_req net/bluetooth/l2cap_core.c:1286 [inline]
>> l2cap_start_connection+0x465/0x620 net/bluetooth/l2cap_core.c:1514
>> l2cap_conn_start+0xbf3/0x1130 net/bluetooth/l2cap_core.c:1661
>> process_one_work kernel/workqueue.c:2630 [inline]
>> process_scheduled_works+0x90f/0x1400 kernel/workqueue.c:2703
>> worker_thread+0xa5f/0xff0 kernel/workqueue.c:2784
>> kthread+0x2d3/0x370 kernel/kthread.c:388
>> ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
>> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
>> </TASK>
>>
>> Allocated by task 27110:
>> kasan_save_stack mm/kasan/common.c:45 [inline]
>> kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
>> ____kasan_kmalloc mm/kasan/common.c:374 [inline]
>> __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:383
>> kmalloc include/linux/slab.h:599 [inline]
>> kzalloc include/linux/slab.h:720 [inline]
>> hci_chan_create+0xc8/0x300 net/bluetooth/hci_conn.c:2714
>> l2cap_conn_add+0x69/0xc10 net/bluetooth/l2cap_core.c:7841
>> l2cap_chan_connect+0x61f/0xeb0 net/bluetooth/l2cap_core.c:8053
>> bt_6lowpan_connect net/bluetooth/6lowpan.c:894 [inline]
>> lowpan_control_write+0x55e/0x850 net/bluetooth/6lowpan.c:1129
>> full_proxy_write+0x113/0x1c0 fs/debugfs/file.c:236
>> vfs_write+0x286/0xaf0 fs/read_write.c:582
>> ksys_write+0x1a0/0x2c0 fs/read_write.c:637
>> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>> entry_SYSCALL_64_after_hwframe+0x63/0xcd
>>
>> Freed by task 5067:
>> kasan_save_stack mm/kasan/common.c:45 [inline]
>> kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
>> kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522
>> ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
>> kasan_slab_free include/linux/kasan.h:164 [inline]
>> slab_free_hook mm/slub.c:1800 [inline]
>> slab_free_freelist_hook mm/slub.c:1826 [inline]
>> slab_free mm/slub.c:3809 [inline]
>> __kmem_cache_free+0x25f/0x3b0 mm/slub.c:3822
>> hci_chan_list_flush net/bluetooth/hci_conn.c:2754 [inline]
>> hci_conn_cleanup net/bluetooth/hci_conn.c:152 [inline]
>> hci_conn_del+0x4f8/0xc40 net/bluetooth/hci_conn.c:1156
>> hci_abort_conn_sync+0xa45/0xfe0
>> hci_cmd_sync_work+0x228/0x400 net/bluetooth/hci_sync.c:306
>> process_one_work kernel/workqueue.c:2630 [inline]
>> process_scheduled_works+0x90f/0x1400 kernel/workqueue.c:2703
>> worker_thread+0xa5f/0xff0 kernel/workqueue.c:2784
>> kthread+0x2d3/0x370 kernel/kthread.c:388
>> ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
>> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
>>
>> There are two main reasons for this:
>> 1. In the case of hci_conn_add() concurrency, the handle of
>> hci_conn allocated through hci_conn_hash_alloc_unset() is not unique.
>> That will result in getting the wrong hci_conn by
>> hci_conn_hash_lookup_handle().
>> 2. The processes related to hci_abort_conn() can re-enter for the same
>> hci_conn because atomic_dec_and_test(&hci_conn->refcnt) is established
>> in hci_conn_drop(). That will make hci_conn UAF.
>>
>> To fix this, use ida to manage the allocation of conn->handle, and
>> add the HCI_CONN_DISC flag to avoid re-entering of the processes related
>> to hci_abort_conn().
>>
>> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
>> Signed-off-by: Ziyang Xuan <william.xuanziyang@xxxxxxxxxx>
>> ---
>> v2:
>> - Rebase patch base on newest repo.
>> - Remove HCI_CONN_DISC check in lookup interfaces.
>> ---
>> include/net/bluetooth/hci_core.h | 6 ++++-
>> net/bluetooth/hci_conn.c | 38 ++++++++++++++++----------------
>> net/bluetooth/hci_core.c | 3 +++
>> 3 files changed, 27 insertions(+), 20 deletions(-)
>>
>> diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
>> index f36c1fd5d64e..4f44f2bffa57 100644
>> --- a/include/net/bluetooth/hci_core.h
>> +++ b/include/net/bluetooth/hci_core.h
>> @@ -350,6 +350,8 @@ struct hci_dev {
>> struct list_head list;
>> struct mutex lock;
>>
>> + struct ida unset_handle_ida;
>> +
>> const char *name;
>> unsigned long flags;
>> __u16 id;
>> @@ -969,6 +971,7 @@ enum {
>> HCI_CONN_AUTH_INITIATOR,
>> HCI_CONN_DROP,
>> HCI_CONN_CANCEL,
>> + HCI_CONN_DISC,
>> HCI_CONN_PARAM_REMOVAL_PEND,
>> HCI_CONN_NEW_LINK_KEY,
>> HCI_CONN_SCANNING,
>> @@ -1543,7 +1546,8 @@ static inline void hci_conn_drop(struct hci_conn *conn)
>> {
>> BT_DBG("hcon %p orig refcnt %d", conn, atomic_read(&conn->refcnt));
>>
>> - if (atomic_dec_and_test(&conn->refcnt)) {
>> + if (atomic_dec_and_test(&conn->refcnt) &&
>> + !test_bit(HCI_CONN_DISC, &conn->flags)) {
>> unsigned long timeo;
>
> hci_abort_conn already checks if conn->abort_reason was already set, to
> avoid queuing abort for the same conn again. Does this flag not try to
> do the same thing?
That is not enough. hci_conn occur UAF in hci_proto_disconn_ind() before enter
hci_abort_conn().
>
> There are potential races in hci_sync vs. handle reuse since the queued
> abort is not canceled if the conn is deleted by something else. But now
> I'm not sure syzbot hits this race.
Sorry, can you give a specific scenario. I can't understand exactly what you mean.
>
>>
>> switch (conn->type) {
>> diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
>> index 974631e652c1..f87281b4386f 100644
>> --- a/net/bluetooth/hci_conn.c
>> +++ b/net/bluetooth/hci_conn.c
>> @@ -153,6 +153,9 @@ static void hci_conn_cleanup(struct hci_conn *conn)
>>
>> hci_conn_hash_del(hdev, conn);
>>
>> + if (HCI_CONN_HANDLE_UNSET(conn->handle))
>> + ida_free(&hdev->unset_handle_ida, conn->handle);
>> +
>> if (conn->cleanup)
>> conn->cleanup(conn);
>>
>> @@ -929,29 +932,17 @@ static void cis_cleanup(struct hci_conn *conn)
>> hci_le_remove_cig(hdev, conn->iso_qos.ucast.cig);
>> }
>>
>> -static u16 hci_conn_hash_alloc_unset(struct hci_dev *hdev)
>> +static int hci_conn_hash_alloc_unset(struct hci_dev *hdev)
>> {
>> - struct hci_conn_hash *h = &hdev->conn_hash;
>> - struct hci_conn *c;
>> - u16 handle = HCI_CONN_HANDLE_MAX + 1;
>> -
>> - rcu_read_lock();
>> -
>> - list_for_each_entry_rcu(c, &h->list, list) {
>> - /* Find the first unused handle */
>> - if (handle == 0xffff || c->handle != handle)
>> - break;
>> - handle++;
>> - }
>> - rcu_read_unlock();
>
> The original hci_conn_hash_alloc_unset seems to have wrong logic. It'll
> e.g. always return HCI_CONN_HANDLE_MAX+1 except if the first conn in
> conn_hash (which is not in particular order) has that handle...
>
> The code paths adding/deleting conns or entering here / setting handles
> should be holding hdev->lock, so probably no concurrency issue in it.
>
> Is syzbot happy with just this handle allocation fixed?
Just fix handle, hci_conn occur UAF in hci_proto_disconn_ind() within hci_conn_timeout() process.
>
>> -
>> - return handle;
>> + return ida_alloc_range(&hdev->unset_handle_ida, HCI_CONN_HANDLE_MAX + 1,
>> + U16_MAX, GFP_ATOMIC);
>> }
>>
>
