Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-14 08:02:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
bce5640520
linux/net
History
Sungwoo Kim bce5640520 Bluetooth: HCI: Fix global-out-of-bounds 
To loop a variable-length array, hci_init_stage_sync(stage) considers
that stage[i] is valid as long as stage[i-1].func is valid.
Thus, the last element of stage[].func should be intentionally invalid
as hci_init0[], le_init2[], and others did.
However, amp_init1[] and amp_init2[] have no invalid element, letting
hci_init_stage_sync() keep accessing amp_init1[] over its valid range.
This patch fixes this by adding {} in the last of amp_init1[] and
amp_init2[].

==================================================================
BUG: KASAN: global-out-of-bounds in hci_dev_open_sync (
/v6.2-bzimage/net/bluetooth/hci_sync.c:3154
/v6.2-bzimage/net/bluetooth/hci_sync.c:3343
/v6.2-bzimage/net/bluetooth/hci_sync.c:4418
/v6.2-bzimage/net/bluetooth/hci_sync.c:4609
/v6.2-bzimage/net/bluetooth/hci_sync.c:4689)
Read of size 8 at addr ffffffffaed1ab70 by task kworker/u5:0/1032
CPU: 0 PID: 1032 Comm: kworker/u5:0 Not tainted 6.2.0 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04
Workqueue: hci1 hci_power_on
Call Trace:
 <TASK>
dump_stack_lvl (/v6.2-bzimage/lib/dump_stack.c:107 (discriminator 1))
print_report (/v6.2-bzimage/mm/kasan/report.c:307
  /v6.2-bzimage/mm/kasan/report.c:417)
? hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154
  /v6.2-bzimage/net/bluetooth/hci_sync.c:3343
  /v6.2-bzimage/net/bluetooth/hci_sync.c:4418
  /v6.2-bzimage/net/bluetooth/hci_sync.c:4609
  /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)
kasan_report (/v6.2-bzimage/mm/kasan/report.c:184
  /v6.2-bzimage/mm/kasan/report.c:519)
? hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154
  /v6.2-bzimage/net/bluetooth/hci_sync.c:3343
  /v6.2-bzimage/net/bluetooth/hci_sync.c:4418
  /v6.2-bzimage/net/bluetooth/hci_sync.c:4609
  /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)
hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154
  /v6.2-bzimage/net/bluetooth/hci_sync.c:3343
  /v6.2-bzimage/net/bluetooth/hci_sync.c:4418
  /v6.2-bzimage/net/bluetooth/hci_sync.c:4609
  /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)
? __pfx_hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:4635)
? mutex_lock (/v6.2-bzimage/./arch/x86/include/asm/atomic64_64.h:190
  /v6.2-bzimage/./include/linux/atomic/atomic-long.h:443
  /v6.2-bzimage/./include/linux/atomic/atomic-instrumented.h:1781
  /v6.2-bzimage/kernel/locking/mutex.c:171
  /v6.2-bzimage/kernel/locking/mutex.c:285)
? __pfx_mutex_lock (/v6.2-bzimage/kernel/locking/mutex.c:282)
hci_power_on (/v6.2-bzimage/net/bluetooth/hci_core.c:485
  /v6.2-bzimage/net/bluetooth/hci_core.c:984)
? __pfx_hci_power_on (/v6.2-bzimage/net/bluetooth/hci_core.c:969)
? read_word_at_a_time (/v6.2-bzimage/./include/asm-generic/rwonce.h:85)
? strscpy (/v6.2-bzimage/./arch/x86/include/asm/word-at-a-time.h:62
  /v6.2-bzimage/lib/string.c:161)
process_one_work (/v6.2-bzimage/kernel/workqueue.c:2294)
worker_thread (/v6.2-bzimage/./include/linux/list.h:292
  /v6.2-bzimage/kernel/workqueue.c:2437)
? __pfx_worker_thread (/v6.2-bzimage/kernel/workqueue.c:2379)
kthread (/v6.2-bzimage/kernel/kthread.c:376)
? __pfx_kthread (/v6.2-bzimage/kernel/kthread.c:331)
ret_from_fork (/v6.2-bzimage/arch/x86/entry/entry_64.S:314)
 </TASK>
The buggy address belongs to the variable:
amp_init1+0x30/0x60
The buggy address belongs to the physical page:
page:000000003a157ec6 refcount:1 mapcount:0 mapping:0000000000000000 ia
flags: 0x200000000001000(reserved|node=0|zone=2)
raw: 0200000000001000 ffffea0005054688 ffffea0005054688 000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
 ffffffffaed1aa00: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
 ffffffffaed1aa80: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
>ffffffffaed1ab00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
                                                             ^
 ffffffffaed1ab80: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 f9
 ffffffffaed1ac00: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 00 02 f9

This bug is found by FuzzBT, a modified version of Syzkaller.
Other contributors for this bug are Ruoyu Wu and Peng Hui.

Fixes: d0b137062b ("Bluetooth: hci_sync: Rework init stages")
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2023-03-23 13:09:38 -07:00
..
6lowpan
9p 9p patches for 6.3 merge window (part 1) 2023-03-01 08:52:49 -08:00
802 treewide: Convert del_timer*() to timer_shutdown*() 2022-12-25 13:38:09 -08:00
8021q
appletalk
atm
ax25
batman-adv batman-adv: tvlv: prepare for tvlv enabled multicast packet type 2023-01-21 19:01:59 +01:00
bluetooth Bluetooth: HCI: Fix global-out-of-bounds 2023-03-23 13:09:38 -07:00
bpf bpf, test_run: fix &xdp_frame misplacement for LIVE_FRAMES 2023-03-06 11:15:54 -08:00
bpfilter
bridge Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf 2023-02-22 21:25:23 -08:00
caif net: caif: Fix use-after-free in cfusbl_device_notify() 2023-03-02 22:22:07 -08:00
can Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-02-09 12:25:40 -08:00
ceph Networking changes for 6.3. 2023-02-21 18:24:12 -08:00
core net: xdp: don't call notifiers during driver init 2023-03-16 21:33:08 -07:00
dcb net: dcb: add helper functions to retrieve PCP and DSCP rewrite maps 2023-01-20 09:33:22 +00:00
dccp dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions. 2023-02-10 19:53:42 -08:00
devlink devlink: drop leftover duplicate/unused code 2023-02-20 11:38:35 +00:00
dns_resolver
dsa net: dsa: tag_brcm: legacy: fix daisy-chained switches 2023-03-21 17:29:13 -07:00
ethernet net: ethernet: use sysfs_emit() to instead of scnprintf() 2022-12-07 20:02:44 -08:00
ethtool net: ethtool: fix __ethtool_dev_mm_supported() implementation 2023-02-21 09:05:01 -08:00
hsr hsr: ratelimit only when errors are printed 2023-03-16 21:11:03 -07:00
ieee802154 ieee802154: Prevent user from crashing the host 2023-03-02 14:39:48 +01:00
ife
ipv4 erspan: do not use skb_mac_header() in ndo_start_xmit() 2023-03-21 21:16:26 -07:00
ipv6 erspan: do not use skb_mac_header() in ndo_start_xmit() 2023-03-21 21:16:26 -07:00
iucv net/iucv: Fix size of interrupt data 2023-03-16 17:34:40 -07:00
kcm net/sock: Introduce trace_sk_data_ready() 2023-01-23 11:26:50 +00:00
key af_key: Fix heap information leak 2023-02-13 09:30:14 +00:00
l2tp l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register() 2023-02-20 09:25:20 +00:00
l3mdev
lapb
llc
mac80211 wifi: mac80211: check basic rates validity 2023-03-10 11:47:00 +01:00
mac802154 Merge tag 'ieee802154-for-net-next-2023-02-20' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan-next 2023-02-20 16:40:52 -08:00
mctp net: mctp: purge receive queues on sk destruction 2023-01-28 00:26:09 -08:00
mpls net: mpls: fix stale pointer if allocation fails during device rename 2023-02-15 10:26:37 +00:00
mptcp mptcp: fix lockdep false positive in mptcp_pm_nl_create_listen_socket() 2023-03-10 21:42:56 -08:00
ncsi net: Use of_property_read_bool() for boolean properties 2023-03-16 17:41:28 +00:00
netfilter netfilter: nft_redir: correct value of inet type .maxattrs 2023-03-08 12:26:42 +01:00
netlabel
netlink genetlink: Use string_is_terminated() helper 2023-02-09 22:30:24 -08:00
netrom netrom: Fix use-after-free caused by accept on already connected socket 2023-01-30 07:30:47 +00:00
nfc nfc: change order inside nfc_se_io error path 2023-03-07 13:37:05 -08:00
nsh
openvswitch There is no particular theme here - mainly quick hits all over the tree. 2023-02-23 17:55:40 -08:00
packet net: no longer support SOCK_REFCNT_DEBUG feature 2023-02-15 10:25:21 +00:00
phonet net/sock: Introduce trace_sk_data_ready() 2023-01-23 11:26:50 +00:00
psample
qrtr Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-02-02 14:49:55 -08:00
rds rds: rds_rm_zerocopy_callback() correct order for list_add_tail() 2023-02-13 09:33:39 +00:00
rfkill rfkill: Use sysfs_emit() to instead of sprintf() 2023-02-14 12:21:14 +01:00
rose net/rose: Fix to not accept on connected socket 2023-01-28 00:19:57 -08:00
rxrpc Networking changes for 6.3. 2023-02-21 18:24:12 -08:00
sched net/sched: act_api: add specific EXT_WARN_MSG for tc action 2023-03-16 21:25:45 -07:00
sctp sctp: add a refcnt in sctp_stream_priorities to avoid a nested loop 2023-02-23 12:59:40 -08:00
smc net/smc: Fix device de-init sequence 2023-03-15 08:15:19 +00:00
strparser
sunrpc nfsd-6.3 fixes: 2023-03-10 08:45:30 -08:00
switchdev
tipc Networking changes for 6.3. 2023-02-21 18:24:12 -08:00
tls net: tls: fix device-offloaded sendpage straddling records 2023-03-06 13:26:16 -08:00
unix af_unix: fix struct pid leaks in OOB support 2023-03-08 23:26:03 -08:00
vmw_vsock virtio/vsock: don't drop skbuff on copy failure 2023-03-16 17:28:23 +00:00
wireless Including fixes from netfilter, wifi and ipsec. 2023-03-17 13:31:16 -07:00
x25 net/x25: Fix to not accept on connected socket 2023-01-25 09:51:04 +00:00
xdp xsk: add linux/vmalloc.h to xsk.c 2023-02-21 09:00:09 -08:00
xfrm ipsec-2023-03-15 2023-03-16 17:23:48 -07:00
compat.c
devres.c
Kconfig
Kconfig.debug
Makefile devlink: move code to a dedicated directory 2023-01-05 22:12:00 -08:00
socket.c net: avoid double iput when sock_alloc_file fails 2023-03-08 23:26:51 -08:00
sysctl_net.c