#syz test On Tue, Oct 22, 2024 at 12:44 PM Luiz Augusto von Dentz <luiz.dentz@xxxxxxxxx> wrote: > > #syz test > > On Mon, Oct 7, 2024 at 4:54 PM Luiz Augusto von Dentz > <luiz.dentz@xxxxxxxxx> wrote: > > > > #syz test > > > > On Mon, Oct 7, 2024 at 1:16 PM Luiz Augusto von Dentz > > <luiz.dentz@xxxxxxxxx> wrote: > > > > > > #syz test > > > > > > On Fri, Oct 4, 2024 at 1:24 PM Luiz Augusto von Dentz > > > <luiz.dentz@xxxxxxxxx> wrote: > > > > > > > > #syz test > > > > > > > > On Fri, Oct 4, 2024 at 12:06 PM Luiz Augusto von Dentz > > > > <luiz.dentz@xxxxxxxxx> wrote: > > > > > > > > > > #syz test > > > > > > > > > > On Thu, Oct 3, 2024 at 3:21 PM Luiz Augusto von Dentz > > > > > <luiz.dentz@xxxxxxxxx> wrote: > > > > > > > > > > > > #syz test > > > > > > > > > > > > On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz > > > > > > <luiz.dentz@xxxxxxxxx> wrote: > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz > > > > > > > <luiz.dentz@xxxxxxxxx> wrote: > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz > > > > > > > > <luiz.dentz@xxxxxxxxx> wrote: > > > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz > > > > > > > > > <luiz.dentz@xxxxxxxxx> wrote: > > > > > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > > > > > > > > > > <luiz.dentz@xxxxxxxxx> wrote: > > > > > > > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > > > > > > > > > > <luiz.dentz@xxxxxxxxx> wrote: > > > > > > > > > > > > > > > > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx> > > > > > > > > > > > > > > > > > > > > > > > > This makes use of disable_delayed_work_sync instead > > > > > > > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > > > > > > > > > > disables new submit which is disarable since the object holding the work > > > > > > > > > > > > is about to be freed. > > > > > > > > > > > > > > > > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > > > > > > > > > > since at that point it is useless to set a timer as the sk will be freed > > > > > > > > > > > > there is nothing to be done in sco_sock_timeout. > > > > > > > > > > > > > > > > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@xxxxxxxxxxxxxxxxxxxxxxxxx > > > > > > > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > > > > > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > > > > > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx> > > > > > > > > > > > > --- > > > > > > > > > > > > net/bluetooth/sco.c | 13 +------------ > > > > > > > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > > > > > > > > > > > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > > > > > > > > > > index a5ac160c592e..2b1e66976068 100644 > > > > > > > > > > > > --- a/net/bluetooth/sco.c > > > > > > > > > > > > +++ b/net/bluetooth/sco.c > > > > > > > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > > > > > > > > > > } > > > > > > > > > > > > > > > > > > > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > > > > > > > > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > > > > > > > > > > > > > > hcon->sco_data = NULL; > > > > > > > > > > > > kfree(conn); > > > > > > > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > > > > > > > > > > > > > > > > > > > case BT_CONNECTED: > > > > > > > > > > > > case BT_CONFIG: > > > > > > > > > > > > - if (sco_pi(sk)->conn->hcon) { > > > > > > > > > > > > - sk->sk_state = BT_DISCONN; > > > > > > > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > > > > > > > > > > - sco_conn_lock(sco_pi(sk)->conn); > > > > > > > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > > > > > > > > > > - sco_pi(sk)->conn->hcon = NULL; > > > > > > > > > > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > > > > > > > > > > - } else > > > > > > > > > > > > - sco_chan_del(sk, ECONNRESET); > > > > > > > > > > > > - break; > > > > > > > > > > > > - > > > > > > > > > > > > case BT_CONNECT2: > > > > > > > > > > > > case BT_CONNECT: > > > > > > > > > > > > case BT_DISCONN: > > > > > > > > > > > > -- > > > > > > > > > > > > 2.46.1 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > -- > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > -- > > > > Luiz Augusto von Dentz > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz -- Luiz Augusto von Dentz
From 018604f4be8f1e769a358b1e7bf93e1c2cc83e28 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx> Date: Tue, 22 Oct 2024 12:31:08 -0400 Subject: [PATCH v1] Bluetooth: SCO: Fix UAF on sco_sock_timeout conn->sk maybe have been unlinked/freed while waiting for sco_conn_lock so this checks if the conn->sk is still valid by checking if it part of sco_sk_list. Reported-by: syzbot+4c0d0c4cde787116d465@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx> --- include/net/bluetooth/bluetooth.h | 1 + net/bluetooth/af_bluetooth.c | 22 ++++++++++++++++++++++ net/bluetooth/sco.c | 18 ++++++++++++------ 3 files changed, 35 insertions(+), 6 deletions(-) diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h index 5d655e109b2c..f66bc85c6411 100644 --- a/include/net/bluetooth/bluetooth.h +++ b/include/net/bluetooth/bluetooth.h @@ -403,6 +403,7 @@ int bt_sock_register(int proto, const struct net_proto_family *ops); void bt_sock_unregister(int proto); void bt_sock_link(struct bt_sock_list *l, struct sock *s); void bt_sock_unlink(struct bt_sock_list *l, struct sock *s); +bool bt_sock_linked(struct bt_sock_list *l, struct sock *s); struct sock *bt_sock_alloc(struct net *net, struct socket *sock, struct proto *prot, int proto, gfp_t prio, int kern); int bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c index e39fba5565c5..0b4d0a8bd361 100644 --- a/net/bluetooth/af_bluetooth.c +++ b/net/bluetooth/af_bluetooth.c @@ -185,6 +185,28 @@ void bt_sock_unlink(struct bt_sock_list *l, struct sock *sk) } EXPORT_SYMBOL(bt_sock_unlink); +bool bt_sock_linked(struct bt_sock_list *l, struct sock *s) +{ + struct sock *sk; + + if (!l || !s) + return false; + + read_lock(&l->lock); + + sk_for_each(sk, &l->head) { + if (s == sk) { + read_unlock(&l->lock); + return true; + } + } + + read_unlock(&l->lock); + + return false; +} +EXPORT_SYMBOL(bt_sock_linked); + void bt_accept_enqueue(struct sock *parent, struct sock *sk, bool bh) { const struct cred *old_cred; diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index a5ac160c592e..1c7252a36866 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -76,6 +76,16 @@ struct sco_pinfo { #define SCO_CONN_TIMEOUT (HZ * 40) #define SCO_DISCONN_TIMEOUT (HZ * 2) +static struct sock *sco_sock_hold(struct sco_conn *conn) +{ + if (!conn || !bt_sock_linked(&sco_sk_list, conn->sk)) + return NULL; + + sock_hold(conn->sk); + + return conn->sk; +} + static void sco_sock_timeout(struct work_struct *work) { struct sco_conn *conn = container_of(work, struct sco_conn, @@ -87,9 +97,7 @@ static void sco_sock_timeout(struct work_struct *work) sco_conn_unlock(conn); return; } - sk = conn->sk; - if (sk) - sock_hold(sk); + sk = sco_sock_hold(conn); sco_conn_unlock(conn); if (!sk) @@ -194,9 +202,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) /* Kill socket */ sco_conn_lock(conn); - sk = conn->sk; - if (sk) - sock_hold(sk); + sk = sco_sock_hold(conn); sco_conn_unlock(conn); if (sk) { -- 2.47.0
