* L2CAP: Spec violation
@ 2022-11-04 16:11 Sungwoo Kim
2022-11-14 22:05 ` Luiz Augusto von Dentz
0 siblings, 1 reply; 3+ messages in thread
From: Sungwoo Kim @ 2022-11-04 16:11 UTC (permalink / raw)
To: marcel
Cc: johan.hedberg, luiz.dentz, davem, edumazet, kuba, pabeni,
linux-bluetooth, netdev, linux-kernel
Hello,
Our fuzzer found a BT spec violation, illegal state transition on L2cap.
Specifically, l2cap_chan::state is transitioned from BT_CONFIG to
BT_DISCONN by CONFIG_RSP by following trace:
l2cap_config_rsp l2cap_core.c:4498
l2cap_send_disconn_req l2cap_core.c:4585
l2cap_state_change l2cap_core.c:1618
According to the spec 5.3 vol.3 part A 6.1.4, CONFIG_RSP cannot cause
that transition, i.e., CONFIG -> DISCONN by CONFIG_RSP is illegal.
It'd be great if we could discuss.
Thanks,
Sungwoo.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: L2CAP: Spec violation
2022-11-04 16:11 L2CAP: Spec violation Sungwoo Kim
@ 2022-11-14 22:05 ` Luiz Augusto von Dentz
2022-11-15 5:02 ` Sungwoo Kim
0 siblings, 1 reply; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2022-11-14 22:05 UTC (permalink / raw)
To: Sungwoo Kim
Cc: marcel, johan.hedberg, davem, edumazet, kuba, pabeni,
linux-bluetooth, netdev, linux-kernel
Hi Kim,
On Fri, Nov 4, 2022 at 9:13 AM Sungwoo Kim <iam@sung-woo.kim> wrote:
>
> Hello,
>
> Our fuzzer found a BT spec violation, illegal state transition on L2cap.
> Specifically, l2cap_chan::state is transitioned from BT_CONFIG to
> BT_DISCONN by CONFIG_RSP by following trace:
>
> l2cap_config_rsp l2cap_core.c:4498
> l2cap_send_disconn_req l2cap_core.c:4585
> l2cap_state_change l2cap_core.c:1618
>
> According to the spec 5.3 vol.3 part A 6.1.4, CONFIG_RSP cannot cause
> that transition, i.e., CONFIG -> DISCONN by CONFIG_RSP is illegal.
> It'd be great if we could discuss.
Can you include some btmon traces?
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: L2CAP: Spec violation
2022-11-14 22:05 ` Luiz Augusto von Dentz
@ 2022-11-15 5:02 ` Sungwoo Kim
0 siblings, 0 replies; 3+ messages in thread
From: Sungwoo Kim @ 2022-11-15 5:02 UTC (permalink / raw)
To: luiz.dentz
Cc: davem, edumazet, iam, johan.hedberg, kuba, linux-bluetooth,
linux-kernel, marcel, netdev, pabeni
Sure,
btmon trace:
(...)
> ACL Data RX: Handle 200 flags 0x00 dlen 1033 #32 [hci0] 17.083174
invalid packet size (12 != 1033)
08 00 01 00 02 01 04 00 01 10 ff ff ............
@ MGMT Event: Device Connected (0x000b) plen 13 {0x0002} [hci0] 17.104462
BR/EDR Address: 10:AA:AA:AA:AA:AA (OUI 10-AA-AA)
Flags: 0x00000000
Data length: 0
@ MGMT Event: Device Connected (0x000b) plen 13 {0x0001} [hci0] 17.104462
BR/EDR Address: 10:AA:AA:AA:AA:AA (OUI 10-AA-AA)
Flags: 0x00000000
Data length: 0
< ACL Data TX: Handle 200 flags 0x02 dlen 16 #33 [hci0] 17.149691
L2CAP: Connection Response (0x03) ident 1 len 8
Destination CID: 64
Source CID: 65535
Result: Connection pending (0x0001)
Status: No further information available (0x0000)
< ACL Data TX: Handle 200 flags 0x02 dlen 10 #34 [hci0] 17.154828
L2CAP: Information Request (0x0a) ident 2 len 2
Type: Extended features supported (0x0002)
> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #35 [hci0] 17.145762
invalid packet size (16 != 2061)
0c 00 01 00 04 01 08 00 40 00 00 00 01 02 00 00 ........@.......
> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #36 [hci0] 17.146654
invalid packet size (16 != 2061)
0c 00 01 00 03 01 08 00 00 00 00 00 00 00 00 00 ................
> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #37 [hci0] 17.147190
invalid packet size (16 != 2061)
0c 00 01 00 04 01 08 00 40 00 00 00 05 00 00 00 ........@.......
> ACL Data RX: Handle 200 flags 0x00 dlen 1804 #38 [hci0] 17.148090
invalid packet size (15 != 1804)
0b 00 01 00 04 01 07 00 40 00 00 00 05 00 00 ........@......
> ACL Data RX: Handle 200 flags 0x00 dlen 1547 #39 [hci0] 17.148708
invalid packet size (14 != 1547)
(...)
The last ACL data packet invokes:
l2cap_bredr_sig_cmd
l2cap_config_rsp
l2cap_send_disconn_req
l2cap_state_change_and_error
Bluetooth: chan 00000000205763be BT_CONFIG -> BT_DISCONN
This is the code and whole log:
https://gist.github.com/swkim101/82bc694f9427f008c14e91307b3355b6
Thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-11-15 5:03 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-04 16:11 L2CAP: Spec violation Sungwoo Kim
2022-11-14 22:05 ` Luiz Augusto von Dentz
2022-11-15 5:02 ` Sungwoo Kim
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.