On 29 December 2016 at 09:51, Ezequiel Garcia
<ezequiel@xxxxxxxxxxxxxxxxxxxx> wrote:
> As per the comment in include/linux/net.h, the recvfrom handlers
> should expect msg_name to be NULL. However, bt_sock_recvmsg()
> is currently not checking it, which could lead to a NULL pointer
> dereference.
>
> The following NULL pointer dereference was produced while testing
> L2CAP datagram reception. Note that the kernel is tainted due to
> the r8723bs module being inserted. However, it seems the fix still
> applies.
>
> $ l2test -r -G
> l2test[326]: Receiving ...
> Unable to handle kernel NULL pointer dereference at virtual address 00000000
> pgd = ee008000
> [00000000] *pgd=7f896835
> Internal error: Oops: 817 [#1] PREEMPT SMP ARM
> Modules linked in: r8723bs(O)
> CPU: 0 PID: 326 Comm: l2test Tainted: G O 4.8.0 #1
> Hardware name: Allwinner sun7i (A20) Family
> task: ef1c6880 task.stack: eea70000
> PC is at __memzero+0x58/0x80
> LR is at l2cap_skb_msg_name+0x1c/0x4c
> pc : [<c02c47d8>] lr : [<c0506278>] psr: 00070013
> sp : eea71e60 ip : 00000000 fp : 00034e1c
> r10: 00000000 r9 : 00000000 r8 : eea71ed4
> r7 : 000002a0 r6 : eea71ed8 r5 : 00000000 r4 : ee4a5d80
> r3 : 00000000 r2 : 00000000 r1 : 0000000e r0 : 00000000
> Flags: nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
> Control: 10c5387d Table: 7600806a DAC: 00000051
> Process l2test (pid: 326, stack limit = 0xeea70210)
> Stack: (0xeea71e60 to 0xeea72000)
> 1e60: ee4a5d80 eeac2800 000002a0 c04d7114 173eefa0 00000000 c06ca68e 00000000
> 1e80: 00000001 eeac2800 eef23500 00000000 000002a0 eea71ed4 eea70000 c0504d50
> 1ea0: 00000000 00000000 eef23500 00000000 00000000 c044e8a0 eea71edc eea9f904
> 1ec0: bef89aa0 fffffff7 00000000 00035008 000002a0 00000000 00000000 00000000
> 1ee0: 00000000 00000000 eea71ed4 00000000 00000000 00000000 00004000 00000000
> 1f00: 0000011b c01078c4 eea70000 c044e5e4 00000000 00000000 642f0001 6c2f7665
> 1f20: 0000676f 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 1f40: 00000000 00000000 00000000 00000000 00000000 ffffffff 00000001 bef89ad8
> 1f60: 000000a8 c01078c4 eea70000 00000000 00034e1c c01e6c74 00000000 00000000
> 1f80: 00034e1c 000341f8 00000000 00000123 c01078c4 c044e90c 00000000 00000000
> 1fa0: 000002a0 c0107700 00034e1c 000341f8 00000003 00035008 000002a0 00000000
> 1fc0: 00034e1c 000341f8 00000000 00000123 00000000 00000000 00011ffc 00034e1c
> 1fe0: 00000000 bef89aa4 0001211c b6eebb60 60070010 00000003 00000000 00000000
> [<c02c47d8>] (__memzero) from [<c0506278>] (l2cap_skb_msg_name+0x1c/0x4c)
> [<c0506278>] (l2cap_skb_msg_name) from [<c04d7114>] (bt_sock_recvmsg+0x128/0x160)
> [<c04d7114>] (bt_sock_recvmsg) from [<c0504d50>] (l2cap_sock_recvmsg+0x98/0x134)
> [<c0504d50>] (l2cap_sock_recvmsg) from [<c044e8a0>] (SyS_recvfrom+0x94/0xec)
> [<c044e8a0>] (SyS_recvfrom) from [<c044e90c>] (SyS_recv+0x14/0x1c)
> [<c044e90c>] (SyS_recv) from [<c0107700>] (ret_fast_syscall+0x0/0x3c)
> Code: e3110010 18a0500c e49de004 e3110008 (18a0000c)
> ---[ end trace 224e35e79fe06b42 ]---
>
> Signed-off-by: Ezequiel Garcia <ezequiel@xxxxxxxxxxxxxxxxxxxx>
> ---
> net/bluetooth/af_bluetooth.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
> index 1aff2da9bc74..cfb2faba46de 100644
> --- a/net/bluetooth/af_bluetooth.c
> +++ b/net/bluetooth/af_bluetooth.c
> @@ -245,7 +245,7 @@ int bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
> if (err == 0) {
> sock_recv_ts_and_drops(msg, sk, skb);
>
> - if (bt_sk(sk)->skb_msg_name)
> + if (msg->msg_name && bt_sk(sk)->skb_msg_name)
> bt_sk(sk)->skb_msg_name(skb, msg->msg_name,
> &msg->msg_namelen);
> }
> --
> 2.11.0
>
Any feedback here?
--
Ezequiel García, VanguardiaSur
www.vanguardiasur.com.ar
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
