* [syzbot] [bluetooth?] KASAN: slab-out-of-bounds Read in rfcomm_sock_setsockopt
@ 2024-04-05 6:55 syzbot
2024-04-05 9:30 ` Edward Adam Davis
2024-04-05 10:16 ` [PATCH] net/socket: the length value of the input socket option parameter is too small Edward Adam Davis
0 siblings, 2 replies; 17+ messages in thread
From: syzbot @ 2024-04-05 6:55 UTC (permalink / raw)
To: johan.hedberg, linux-bluetooth, linux-kernel, luiz.dentz, marcel,
syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=176e2415180000
kernel config: https://syzkaller.appspot.com/x/.config?x=4d90a36f0cab495a
dashboard link: https://syzkaller.appspot.com/bug?extid=d4ecae01a53fd9b42e7d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=118f9af9180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12a0ad29180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f6c04726a2ae/disk-fe46a7dd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/09c26ce901ea/vmlinux-fe46a7dd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/134acf7f5322/bzImage-fe46a7dd.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]
BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline]
BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673
Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064
CPU: 0 PID: 5064 Comm: syz-executor632 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
copy_from_sockptr include/linux/sockptr.h:55 [inline]
rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline]
rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673
do_sock_setsockopt+0x3af/0x720 net/socket.c:2311
__sys_setsockopt+0x1ae/0x250 net/socket.c:2334
__do_sys_setsockopt net/socket.c:2343 [inline]
__se_sys_setsockopt net/socket.c:2340 [inline]
__x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7f36ff898dc9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe010c2208 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f36ff898dc9
RDX: 0000000000000003 RSI: 0000000000000012 RDI: 0000000000000006
RBP: 0000000000000006 R08: 0000000000000002 R09: 0000000000000000
R10: 00000000200000c0 R11: 0000000000000246 R12: 0000555567399338
R13: 000000000000000e R14: 0000000000000000 R15: 0000000000000000
</TASK>
Allocated by task 5064:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:3966 [inline]
__kmalloc+0x233/0x4a0 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
__cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869
do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293
__sys_setsockopt+0x1ae/0x250 net/socket.c:2334
__do_sys_setsockopt net/socket.c:2343 [inline]
__se_sys_setsockopt net/socket.c:2340 [inline]
__x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
The buggy address belongs to the object at ffff8880209a8bc0
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 1 bytes to the right of
allocated 2-byte region [ffff8880209a8bc0, ffff8880209a8bc2)
The buggy address belongs to the physical page:
page:ffffea0000826a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x209a8
flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000800 ffff888014c41280 ffffea000081fb80 dead000000000002
raw: 0000000000000000 0000000080800080 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 9917548498, free_ts 0
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533
prep_new_page mm/page_alloc.c:1540 [inline]
get_page_from_freelist+0x33ea/0x3580 mm/page_alloc.c:3311
__alloc_pages+0x256/0x680 mm/page_alloc.c:4569
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page+0x5f/0x160 mm/slub.c:2175
allocate_slab mm/slub.c:2338 [inline]
new_slab+0x84/0x2f0 mm/slub.c:2391
___slab_alloc+0xc73/0x1260 mm/slub.c:3525
__slab_alloc mm/slub.c:3610 [inline]
__slab_alloc_node mm/slub.c:3663 [inline]
slab_alloc_node mm/slub.c:3835 [inline]
__do_kmalloc_node mm/slub.c:3965 [inline]
__kmalloc+0x2e5/0x4a0 mm/slub.c:3979
kmalloc_array include/linux/slab.h:665 [inline]
kcalloc include/linux/slab.h:696 [inline]
group_cpus_evenly+0x294/0x5f0 lib/group_cpus.c:365
blk_mq_map_queues+0x4c/0x3e0 block/blk-mq-cpumap.c:23
blk_mq_alloc_tag_set+0x7ac/0xf40 block/blk-mq.c:4521
nbd_dev_add+0x367/0xc80 drivers/block/nbd.c:1831
nbd_init+0x224/0x2e0 drivers/block/nbd.c:2593
do_one_initcall+0x238/0x830 init/main.c:1241
do_initcall_level+0x157/0x210 init/main.c:1303
do_initcalls+0x3f/0x80 init/main.c:1319
kernel_init_freeable+0x435/0x5d0 init/main.c:1550
page_owner free stack trace missing
Memory state around the buggy address:
ffff8880209a8a80: 06 fc fc fc 06 fc fc fc 06 fc fc fc 07 fc fc fc
ffff8880209a8b00: fa fc fc fc 05 fc fc fc 05 fc fc fc 05 fc fc fc
>ffff8880209a8b80: fa fc fc fc fa fc fc fc 02 fc fc fc fa fc fc fc
^
ffff8880209a8c00: 00 fc fc fc 00 fc fc fc 00 fc fc fc 05 fc fc fc
ffff8880209a8c80: 05 fc fc fc 05 fc fc fc fa fc fc fc 00 fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [syzbot] [bluetooth?] KASAN: slab-out-of-bounds Read in rfcomm_sock_setsockopt
2024-04-05 6:55 [syzbot] [bluetooth?] KASAN: slab-out-of-bounds Read in rfcomm_sock_setsockopt syzbot
@ 2024-04-05 9:30 ` Edward Adam Davis
2024-04-06 0:52 ` syzbot
2024-04-05 10:16 ` [PATCH] net/socket: the length value of the input socket option parameter is too small Edward Adam Davis
1 sibling, 1 reply; 17+ messages in thread
From: Edward Adam Davis @ 2024-04-05 9:30 UTC (permalink / raw)
To: syzbot+d4ecae01a53fd9b42e7d; +Cc: linux-kernel, syzkaller-bugs
please test oob in rfcomm_sock_setsockopt
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe46a7dd189e
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index b54e8a530f55..42c55c756b51 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -629,7 +629,7 @@ static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname,
switch (optname) {
case RFCOMM_LM:
- if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
+ if (copy_from_sockptr(&opt, optval, min_t(int, sizeof(u32), optlen))) {
err = -EFAULT;
break;
}
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH] net/socket: the length value of the input socket option parameter is too small
2024-04-05 6:55 [syzbot] [bluetooth?] KASAN: slab-out-of-bounds Read in rfcomm_sock_setsockopt syzbot
2024-04-05 9:30 ` Edward Adam Davis
@ 2024-04-05 10:16 ` Edward Adam Davis
2024-04-05 10:56 ` bluez.test.bot
` (2 more replies)
1 sibling, 3 replies; 17+ messages in thread
From: Edward Adam Davis @ 2024-04-05 10:16 UTC (permalink / raw)
To: syzbot+d4ecae01a53fd9b42e7d
Cc: johan.hedberg, linux-bluetooth, linux-kernel, luiz.dentz, marcel,
syzkaller-bugs
[Syzbot reported]
BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]
BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline]
BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673
Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064
CPU: 0 PID: 5064 Comm: syz-executor632 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
copy_from_sockptr include/linux/sockptr.h:55 [inline]
rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline]
rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673
do_sock_setsockopt+0x3af/0x720 net/socket.c:2311
__sys_setsockopt+0x1ae/0x250 net/socket.c:2334
__do_sys_setsockopt net/socket.c:2343 [inline]
__se_sys_setsockopt net/socket.c:2340 [inline]
__x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7f36ff898dc9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe010c2208 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f36ff898dc9
RDX: 0000000000000003 RSI: 0000000000000012 RDI: 0000000000000006
RBP: 0000000000000006 R08: 0000000000000002 R09: 0000000000000000
R10: 00000000200000c0 R11: 0000000000000246 R12: 0000555567399338
R13: 000000000000000e R14: 0000000000000000 R15: 0000000000000000
</TASK>
Allocated by task 5064:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:3966 [inline]
__kmalloc+0x233/0x4a0 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
__cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869
do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293
__sys_setsockopt+0x1ae/0x250 net/socket.c:2334
__do_sys_setsockopt net/socket.c:2343 [inline]
__se_sys_setsockopt net/socket.c:2340 [inline]
__x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
The buggy address belongs to the object at ffff8880209a8bc0
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 1 bytes to the right of
allocated 2-byte region [ffff8880209a8bc0, ffff8880209a8bc2)
[Fix]
The optlen value passed by syzbot to _sys_setsockopt() is 2, which results in
only 2 bytes being allocated when allocating memory to kernel_optval, and the
optval size passed when calling the function copy_from_sockptr() is 4 bytes.
Here, optlen is determined uniformly in the entry function __sys_setsockopt().
If its value is less than 4, the parameter is considered invalid.
Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
net/socket.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/socket.c b/net/socket.c
index e5f3af49a8b6..ac8fd4f6ebfe 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2327,6 +2327,9 @@ int __sys_setsockopt(int fd, int level, int optname, char __user *user_optval,
int err, fput_needed;
struct socket *sock;
+ if (optlen < sizeof(int))
+ return -EINVAL;
+
sock = sockfd_lookup_light(fd, &err, &fput_needed);
if (!sock)
return err;
--
2.43.0
^ permalink raw reply related [flat|nested] 17+ messages in thread
* RE: net/socket: the length value of the input socket option parameter is too small
2024-04-05 10:16 ` [PATCH] net/socket: the length value of the input socket option parameter is too small Edward Adam Davis
@ 2024-04-05 10:56 ` bluez.test.bot
2024-04-05 11:08 ` [PATCH] " Paul Menzel
2024-04-05 11:39 ` [PATCH] net/socket: the length value of the input socket option parameter is too small Eric Dumazet
2 siblings, 0 replies; 17+ messages in thread
From: bluez.test.bot @ 2024-04-05 10:56 UTC (permalink / raw)
To: linux-bluetooth, eadavis
[-- Attachment #1: Type: text/plain, Size: 7150 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=841753
---Test result---
Test Summary:
CheckPatch FAIL 0.98 seconds
GitLint FAIL 0.48 seconds
SubjectPrefix FAIL 0.30 seconds
BuildKernel PASS 31.06 seconds
CheckAllWarning PASS 33.45 seconds
CheckSparse PASS 38.95 seconds
CheckSmatch FAIL 35.51 seconds
BuildKernel32 PASS 29.83 seconds
TestRunnerSetup PASS 535.04 seconds
TestRunner_l2cap-tester FAIL 16.87 seconds
TestRunner_iso-tester PASS 33.25 seconds
TestRunner_bnep-tester PASS 4.76 seconds
TestRunner_mgmt-tester PASS 110.11 seconds
TestRunner_rfcomm-tester PASS 7.36 seconds
TestRunner_sco-tester FAIL 15.43 seconds
TestRunner_ioctl-tester PASS 7.78 seconds
TestRunner_mesh-tester PASS 5.85 seconds
TestRunner_smp-tester PASS 6.81 seconds
TestRunner_userchan-tester PASS 5.03 seconds
IncrementalBuild PASS 28.99 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
net/socket: the length value of the input socket option parameter is too small
WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?)
#90:
CPU: 0 PID: 5064 Comm: syz-executor632 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
WARNING: Possible repeated word: 'Google'
#91:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#149:
Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
total: 0 errors, 3 warnings, 0 checks, 9 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13618859.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
net/socket: the length value of the input socket option parameter is too small
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
4: B1 Line exceeds max length (94>80): "BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]"
5: B1 Line exceeds max length (87>80): "BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]"
6: B1 Line exceeds max length (101>80): "BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline]"
7: B1 Line exceeds max length (100>80): "BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673"
10: B1 Line exceeds max length (89>80): "CPU: 0 PID: 5064 Comm: syz-executor632 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0"
11: B1 Line exceeds max length (89>80): "Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024"
31: B1 Line exceeds max length (199>80): "Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48"
66: B2 Line has trailing whitespace: "Here, optlen is determined uniformly in the entry function __sys_setsockopt(). "
##############################
Test: SubjectPrefix - FAIL
Desc: Check subject contains "Bluetooth" prefix
Output:
"Bluetooth: " prefix is not specified in the subject
##############################
Test: CheckSmatch - FAIL
Desc: Run smatch tool with source
Output:
Segmentation fault (core dumped)
make[4]: *** [scripts/Makefile.build:244: net/bluetooth/hci_core.o] Error 139
make[4]: *** Deleting file 'net/bluetooth/hci_core.o'
make[3]: *** [scripts/Makefile.build:485: net/bluetooth] Error 2
make[2]: *** [scripts/Makefile.build:485: net] Error 2
make[2]: *** Waiting for unfinished jobs....
Segmentation fault (core dumped)
make[4]: *** [scripts/Makefile.build:244: drivers/bluetooth/bcm203x.o] Error 139
make[4]: *** Deleting file 'drivers/bluetooth/bcm203x.o'
make[4]: *** Waiting for unfinished jobs....
make[3]: *** [scripts/Makefile.build:485: drivers/bluetooth] Error 2
make[2]: *** [scripts/Makefile.build:485: drivers] Error 2
make[1]: *** [/github/workspace/src/src/Makefile:1919: .] Error 2
make: *** [Makefile:240: __sub-make] Error 2
##############################
Test: TestRunner_l2cap-tester - FAIL
Desc: Run l2cap-tester with test-runner
Output:
Total: 55, Passed: 40 (72.7%), Failed: 15, Not Run: 0
Failed Test Cases
L2CAP BR/EDR Client SSP - Success 2 Failed 0.063 seconds
L2CAP BR/EDR Client PIN Code - Success Failed 0.058 seconds
L2CAP LE Client SMP - Success Failed 0.065 seconds
L2CAP Ext-Flowctl Client - Success Failed 0.057 seconds
L2CAP Ext-Flowctl Client - Close Failed 0.063 seconds
L2CAP Ext-Flowctl Client - Timeout Failed 0.054 seconds
L2CAP Ext-Flowctl Client, Direct Advertising - Success Failed 0.067 seconds
L2CAP Ext-Flowctl Client SMP - Success Failed 0.065 seconds
L2CAP Ext-Flowctl Client - Command Reject Failed 0.055 seconds
L2CAP Ext-Flowctl Client - Open two sockets Failed 0.058 seconds
L2CAP Ext-Flowctl Client - Open two sockets close one Failed 0.060 seconds
L2CAP LE ATT Client - Success Failed 0.063 seconds
L2CAP LE EATT Client - Success Failed 0.061 seconds
L2CAP LE EATT Server - Success Failed 0.055 seconds
L2CAP LE EATT Server - Reject Failed 0.057 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
Total: 15, Passed: 12 (80.0%), Failed: 3, Not Run: 0
Failed Test Cases
Basic SCO Set Socket Option - Success Failed 0.081 seconds
eSCO mSBC - Success Failed 0.079 seconds
SCO mSBC 1.1 - Failure Failed 0.081 seconds
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] net/socket: the length value of the input socket option parameter is too small
2024-04-05 10:16 ` [PATCH] net/socket: the length value of the input socket option parameter is too small Edward Adam Davis
2024-04-05 10:56 ` bluez.test.bot
@ 2024-04-05 11:08 ` Paul Menzel
2024-04-09 12:15 ` [PATCH] net/socket: Ensure length of input socket option param >= sizeof(int) Edward Adam Davis
2024-04-05 11:39 ` [PATCH] net/socket: the length value of the input socket option parameter is too small Eric Dumazet
2 siblings, 1 reply; 17+ messages in thread
From: Paul Menzel @ 2024-04-05 11:08 UTC (permalink / raw)
To: Edward Adam Davis
Cc: syzbot+d4ecae01a53fd9b42e7d, johan.hedberg, linux-bluetooth,
linux-kernel, luiz.dentz, marcel, syzkaller-bugs
Dear Edward,
Thank you very much for looking into this and sending a patch. Should
you resent, I’d make the summary about the change and not the issue. Maybe:
net/socket: Ensure length of input socket option param >= sizeof(int)
Kind regards,
Paul
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] net/socket: the length value of the input socket option parameter is too small
2024-04-05 10:16 ` [PATCH] net/socket: the length value of the input socket option parameter is too small Edward Adam Davis
2024-04-05 10:56 ` bluez.test.bot
2024-04-05 11:08 ` [PATCH] " Paul Menzel
@ 2024-04-05 11:39 ` Eric Dumazet
2 siblings, 0 replies; 17+ messages in thread
From: Eric Dumazet @ 2024-04-05 11:39 UTC (permalink / raw)
To: Edward Adam Davis, syzbot+d4ecae01a53fd9b42e7d
Cc: johan.hedberg, linux-bluetooth, linux-kernel, luiz.dentz, marcel,
syzkaller-bugs, edumazet
On 4/5/24 12:16, Edward Adam Davis wrote:
> [Syzbot reported]
> BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
> BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]
> BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline]
> BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673
> Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064
>
> CPU: 0 PID: 5064 Comm: syz-executor632 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
> print_address_description mm/kasan/report.c:377 [inline]
> print_report+0x169/0x550 mm/kasan/report.c:488
> kasan_report+0x143/0x180 mm/kasan/report.c:601
> copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
> copy_from_sockptr include/linux/sockptr.h:55 [inline]
> rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline]
> rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673
> do_sock_setsockopt+0x3af/0x720 net/socket.c:2311
> __sys_setsockopt+0x1ae/0x250 net/socket.c:2334
> __do_sys_setsockopt net/socket.c:2343 [inline]
> __se_sys_setsockopt net/socket.c:2340 [inline]
> __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
> do_syscall_64+0xfb/0x240
> entry_SYSCALL_64_after_hwframe+0x6d/0x75
> RIP: 0033:0x7f36ff898dc9
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffe010c2208 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f36ff898dc9
> RDX: 0000000000000003 RSI: 0000000000000012 RDI: 0000000000000006
> RBP: 0000000000000006 R08: 0000000000000002 R09: 0000000000000000
> R10: 00000000200000c0 R11: 0000000000000246 R12: 0000555567399338
> R13: 000000000000000e R14: 0000000000000000 R15: 0000000000000000
> </TASK>
>
> Allocated by task 5064:
> kasan_save_stack mm/kasan/common.c:47 [inline]
> kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
> poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
> __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
> kasan_kmalloc include/linux/kasan.h:211 [inline]
> __do_kmalloc_node mm/slub.c:3966 [inline]
> __kmalloc+0x233/0x4a0 mm/slub.c:3979
> kmalloc include/linux/slab.h:632 [inline]
> __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869
> do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293
> __sys_setsockopt+0x1ae/0x250 net/socket.c:2334
> __do_sys_setsockopt net/socket.c:2343 [inline]
> __se_sys_setsockopt net/socket.c:2340 [inline]
> __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
> do_syscall_64+0xfb/0x240
> entry_SYSCALL_64_after_hwframe+0x6d/0x75
>
> The buggy address belongs to the object at ffff8880209a8bc0
> which belongs to the cache kmalloc-8 of size 8
> The buggy address is located 1 bytes to the right of
> allocated 2-byte region [ffff8880209a8bc0, ffff8880209a8bc2)
> [Fix]
> The optlen value passed by syzbot to _sys_setsockopt() is 2, which results in
> only 2 bytes being allocated when allocating memory to kernel_optval, and the
> optval size passed when calling the function copy_from_sockptr() is 4 bytes.
> Here, optlen is determined uniformly in the entry function __sys_setsockopt().
> If its value is less than 4, the parameter is considered invalid.
>
> Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> net/socket.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/socket.c b/net/socket.c
> index e5f3af49a8b6..ac8fd4f6ebfe 100644
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -2327,6 +2327,9 @@ int __sys_setsockopt(int fd, int level, int optname, char __user *user_optval,
> int err, fput_needed;
> struct socket *sock;
>
> + if (optlen < sizeof(int))
> + return -EINVAL;
> +
Please cc netdev@ for core networking patches.
This patch is not good, please fix net/bluetooth/rfcomm/sock.c instead
I think I did this yesterday already :
https://lore.kernel.org/netdev/20240404124723.2429464-1-edumazet@google.com/T/
> sock = sockfd_lookup_light(fd, &err, &fput_needed);
> if (!sock)
> return err;
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [syzbot] [bluetooth?] KASAN: slab-out-of-bounds Read in rfcomm_sock_setsockopt
2024-04-05 9:30 ` Edward Adam Davis
@ 2024-04-06 0:52 ` syzbot
0 siblings, 0 replies; 17+ messages in thread
From: syzbot @ 2024-04-06 0:52 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com
Tested on:
commit: fe46a7dd Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=112db3e3180000
kernel config: https://syzkaller.appspot.com/x/.config?x=4d90a36f0cab495a
dashboard link: https://syzkaller.appspot.com/bug?extid=d4ecae01a53fd9b42e7d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=13f92ead180000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH] net/socket: Ensure length of input socket option param >= sizeof(int)
2024-04-05 11:08 ` [PATCH] " Paul Menzel
@ 2024-04-09 12:15 ` Edward Adam Davis
2024-04-09 13:07 ` Eric Dumazet
2024-04-09 13:08 ` bluez.test.bot
0 siblings, 2 replies; 17+ messages in thread
From: Edward Adam Davis @ 2024-04-09 12:15 UTC (permalink / raw)
To: pmenzel
Cc: netdev, eadavis, johan.hedberg, linux-bluetooth, linux-kernel,
luiz.dentz, marcel, syzbot+d4ecae01a53fd9b42e7d, syzkaller-bugs
The optlen value passed by syzbot to _sys_setsockopt() is 2, which results in
only 2 bytes being allocated when allocating memory to kernel_optval, and the
optval size passed when calling the function copy_from_sockptr() is 4 bytes.
Here, optlen is determined uniformly in the entry function __sys_setsockopt().
If its value is less than 4, the parameter is considered invalid.
Reported-by: syzbot+837ba09d9db969068367@syzkaller.appspotmail.com
Reported-by: syzbot+b71011ec0a23f4d15625@syzkaller.appspotmail.com
Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
net/socket.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/socket.c b/net/socket.c
index e5f3af49a8b6..ac8fd4f6ebfe 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2327,6 +2327,9 @@ int __sys_setsockopt(int fd, int level, int optname, char __user *user_optval,
int err, fput_needed;
struct socket *sock;
+ if (optlen < sizeof(int))
+ return -EINVAL;
+
sock = sockfd_lookup_light(fd, &err, &fput_needed);
if (!sock)
return err;
--
2.43.0
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH] net/socket: Ensure length of input socket option param >= sizeof(int)
2024-04-09 12:15 ` [PATCH] net/socket: Ensure length of input socket option param >= sizeof(int) Edward Adam Davis
@ 2024-04-09 13:07 ` Eric Dumazet
2024-04-09 13:25 ` Luiz Augusto von Dentz
` (2 more replies)
2024-04-09 13:08 ` bluez.test.bot
1 sibling, 3 replies; 17+ messages in thread
From: Eric Dumazet @ 2024-04-09 13:07 UTC (permalink / raw)
To: Edward Adam Davis, pmenzel, edumazet
Cc: netdev, johan.hedberg, linux-bluetooth, linux-kernel, luiz.dentz,
marcel, syzbot+d4ecae01a53fd9b42e7d, syzkaller-bugs
On 4/9/24 14:15, Edward Adam Davis wrote:
> The optlen value passed by syzbot to _sys_setsockopt() is 2, which results in
> only 2 bytes being allocated when allocating memory to kernel_optval, and the
> optval size passed when calling the function copy_from_sockptr() is 4 bytes.
> Here, optlen is determined uniformly in the entry function __sys_setsockopt().
> If its value is less than 4, the parameter is considered invalid.
>
> Reported-by: syzbot+837ba09d9db969068367@syzkaller.appspotmail.com
> Reported-by: syzbot+b71011ec0a23f4d15625@syzkaller.appspotmail.com
> Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
I think I gave my feedback already.
Please do not ignore maintainers feedback.
This patch is absolutely wrong.
Some setsockopt() deal with optlen == 1 just fine, thank you very much.
^ permalink raw reply [flat|nested] 17+ messages in thread
* RE: net/socket: Ensure length of input socket option param >= sizeof(int)
2024-04-09 12:15 ` [PATCH] net/socket: Ensure length of input socket option param >= sizeof(int) Edward Adam Davis
2024-04-09 13:07 ` Eric Dumazet
@ 2024-04-09 13:08 ` bluez.test.bot
1 sibling, 0 replies; 17+ messages in thread
From: bluez.test.bot @ 2024-04-09 13:08 UTC (permalink / raw)
To: linux-bluetooth, eadavis
[-- Attachment #1: Type: text/plain, Size: 6914 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=842803
---Test result---
Test Summary:
CheckPatch FAIL 0.88 seconds
GitLint FAIL 0.46 seconds
SubjectPrefix FAIL 0.43 seconds
BuildKernel PASS 31.15 seconds
CheckAllWarning PASS 33.29 seconds
CheckSparse PASS 38.65 seconds
CheckSmatch FAIL 35.17 seconds
BuildKernel32 PASS 29.25 seconds
TestRunnerSetup PASS 532.15 seconds
TestRunner_l2cap-tester FAIL 17.25 seconds
TestRunner_iso-tester FAIL 35.88 seconds
TestRunner_bnep-tester PASS 4.74 seconds
TestRunner_mgmt-tester FAIL 113.82 seconds
TestRunner_rfcomm-tester PASS 7.51 seconds
TestRunner_sco-tester FAIL 15.66 seconds
TestRunner_ioctl-tester PASS 7.73 seconds
TestRunner_mesh-tester PASS 5.73 seconds
TestRunner_smp-tester PASS 6.71 seconds
TestRunner_userchan-tester PASS 4.79 seconds
IncrementalBuild PASS 28.18 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
net/socket: Ensure length of input socket option param >= sizeof(int)
WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?)
#86:
The optlen value passed by syzbot to _sys_setsockopt() is 2, which results in
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#92:
Reported-by: syzbot+837ba09d9db969068367@syzkaller.appspotmail.com
Reported-by: syzbot+b71011ec0a23f4d15625@syzkaller.appspotmail.com
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#93:
Reported-by: syzbot+b71011ec0a23f4d15625@syzkaller.appspotmail.com
Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#94:
Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
total: 0 errors, 4 warnings, 0 checks, 9 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13622424.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
net/socket: Ensure length of input socket option param >= sizeof(int)
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
6: B2 Line has trailing whitespace: "Here, optlen is determined uniformly in the entry function __sys_setsockopt(). "
##############################
Test: SubjectPrefix - FAIL
Desc: Check subject contains "Bluetooth" prefix
Output:
"Bluetooth: " prefix is not specified in the subject
##############################
Test: CheckSmatch - FAIL
Desc: Run smatch tool with source
Output:
Segmentation fault (core dumped)
make[4]: *** [scripts/Makefile.build:244: net/bluetooth/hci_core.o] Error 139
make[4]: *** Deleting file 'net/bluetooth/hci_core.o'
make[3]: *** [scripts/Makefile.build:485: net/bluetooth] Error 2
make[2]: *** [scripts/Makefile.build:485: net] Error 2
make[2]: *** Waiting for unfinished jobs....
Segmentation fault (core dumped)
make[4]: *** [scripts/Makefile.build:244: drivers/bluetooth/bcm203x.o] Error 139
make[4]: *** Deleting file 'drivers/bluetooth/bcm203x.o'
make[4]: *** Waiting for unfinished jobs....
make[3]: *** [scripts/Makefile.build:485: drivers/bluetooth] Error 2
make[2]: *** [scripts/Makefile.build:485: drivers] Error 2
make[1]: *** [/github/workspace/src/src/Makefile:1919: .] Error 2
make: *** [Makefile:240: __sub-make] Error 2
##############################
Test: TestRunner_l2cap-tester - FAIL
Desc: Run l2cap-tester with test-runner
Output:
Total: 55, Passed: 40 (72.7%), Failed: 15, Not Run: 0
Failed Test Cases
L2CAP BR/EDR Client SSP - Success 2 Failed 0.072 seconds
L2CAP BR/EDR Client PIN Code - Success Failed 0.057 seconds
L2CAP LE Client SMP - Success Failed 0.060 seconds
L2CAP Ext-Flowctl Client - Success Failed 0.056 seconds
L2CAP Ext-Flowctl Client - Close Failed 0.064 seconds
L2CAP Ext-Flowctl Client - Timeout Failed 0.061 seconds
L2CAP Ext-Flowctl Client, Direct Advertising - Success Failed 0.063 seconds
L2CAP Ext-Flowctl Client SMP - Success Failed 0.069 seconds
L2CAP Ext-Flowctl Client - Command Reject Failed 0.064 seconds
L2CAP Ext-Flowctl Client - Open two sockets Failed 0.061 seconds
L2CAP Ext-Flowctl Client - Open two sockets close one Failed 0.066 seconds
L2CAP LE ATT Client - Success Failed 0.063 seconds
L2CAP LE EATT Client - Success Failed 0.064 seconds
L2CAP LE EATT Server - Success Failed 0.060 seconds
L2CAP LE EATT Server - Reject Failed 0.059 seconds
##############################
Test: TestRunner_iso-tester - FAIL
Desc: Run iso-tester with test-runner
Output:
Total: 121, Passed: 120 (99.2%), Failed: 1, Not Run: 0
Failed Test Cases
ISO Connect Suspend - Success Failed 4.164 seconds
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 492, Passed: 489 (99.4%), Failed: 1, Not Run: 2
Failed Test Cases
LL Privacy - Add Device 5 (2 Devices to RL) Failed 0.171 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
Total: 15, Passed: 12 (80.0%), Failed: 3, Not Run: 0
Failed Test Cases
Basic SCO Set Socket Option - Success Failed 0.085 seconds
eSCO mSBC - Success Failed 0.078 seconds
SCO mSBC 1.1 - Failure Failed 0.079 seconds
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] net/socket: Ensure length of input socket option param >= sizeof(int)
2024-04-09 13:07 ` Eric Dumazet
@ 2024-04-09 13:25 ` Luiz Augusto von Dentz
2024-04-09 13:36 ` [PATCH] Bluetooth: fix oob in rfcomm_sock_setsockopt Edward Adam Davis
2024-04-09 14:01 ` [PATCH] net/socket: Ensure length of input socket option param >= sizeof(int) Edward Adam Davis
2 siblings, 0 replies; 17+ messages in thread
From: Luiz Augusto von Dentz @ 2024-04-09 13:25 UTC (permalink / raw)
To: Eric Dumazet
Cc: Edward Adam Davis, pmenzel, edumazet, netdev, johan.hedberg,
linux-bluetooth, linux-kernel, marcel,
syzbot+d4ecae01a53fd9b42e7d, syzkaller-bugs
Hi,
On Tue, Apr 9, 2024 at 9:07 AM Eric Dumazet <eric.dumazet@gmail.com> wrote:
>
>
> On 4/9/24 14:15, Edward Adam Davis wrote:
> > The optlen value passed by syzbot to _sys_setsockopt() is 2, which results in
> > only 2 bytes being allocated when allocating memory to kernel_optval, and the
> > optval size passed when calling the function copy_from_sockptr() is 4 bytes.
> > Here, optlen is determined uniformly in the entry function __sys_setsockopt().
> > If its value is less than 4, the parameter is considered invalid.
> >
> > Reported-by: syzbot+837ba09d9db969068367@syzkaller.appspotmail.com
> > Reported-by: syzbot+b71011ec0a23f4d15625@syzkaller.appspotmail.com
> > Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com
> > Signed-off-by: Edward Adam Davis <eadavis@qq.com>
>
>
> I think I gave my feedback already.
>
> Please do not ignore maintainers feedback.
>
> This patch is absolutely wrong.
>
> Some setsockopt() deal with optlen == 1 just fine, thank you very much.
+1, I don't think the setsockopt interface has a fixed minimum of
sizeof(int), so this is a nak from me as well.
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH] Bluetooth: fix oob in rfcomm_sock_setsockopt
2024-04-09 13:07 ` Eric Dumazet
2024-04-09 13:25 ` Luiz Augusto von Dentz
@ 2024-04-09 13:36 ` Edward Adam Davis
2024-04-09 14:11 ` Luiz Augusto von Dentz
2024-04-09 14:12 ` bluez.test.bot
2024-04-09 14:01 ` [PATCH] net/socket: Ensure length of input socket option param >= sizeof(int) Edward Adam Davis
2 siblings, 2 replies; 17+ messages in thread
From: Edward Adam Davis @ 2024-04-09 13:36 UTC (permalink / raw)
To: eric.dumazet
Cc: eadavis, edumazet, johan.hedberg, linux-bluetooth, linux-kernel,
luiz.dentz, marcel, netdev, pmenzel, syzbot+d4ecae01a53fd9b42e7d,
syzkaller-bugs
If optlen < sizeof(u32) it will trigger oob, so take the min of them.
Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
net/bluetooth/rfcomm/sock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index b54e8a530f55..42c55c756b51 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -629,7 +629,7 @@ static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname,
switch (optname) {
case RFCOMM_LM:
- if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
+ if (copy_from_sockptr(&opt, optval, min_t(int, sizeof(u32), optlen))) {
err = -EFAULT;
break;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH] net/socket: Ensure length of input socket option param >= sizeof(int)
2024-04-09 13:07 ` Eric Dumazet
2024-04-09 13:25 ` Luiz Augusto von Dentz
2024-04-09 13:36 ` [PATCH] Bluetooth: fix oob in rfcomm_sock_setsockopt Edward Adam Davis
@ 2024-04-09 14:01 ` Edward Adam Davis
2024-04-09 14:17 ` Eric Dumazet
2024-04-09 18:27 ` Jakub Kicinski
2 siblings, 2 replies; 17+ messages in thread
From: Edward Adam Davis @ 2024-04-09 14:01 UTC (permalink / raw)
To: eric.dumazet
Cc: eadavis, edumazet, johan.hedberg, linux-bluetooth, linux-kernel,
luiz.dentz, marcel, netdev, pmenzel, syzbot+d4ecae01a53fd9b42e7d,
syzkaller-bugs
On Tue, 9 Apr 2024 15:07:41 +0200, Eric Dumazet wrote:
> > The optlen value passed by syzbot to _sys_setsockopt() is 2, which results in
> > only 2 bytes being allocated when allocating memory to kernel_optval, and the
> > optval size passed when calling the function copy_from_sockptr() is 4 bytes.
> > Here, optlen is determined uniformly in the entry function __sys_setsockopt().
> > If its value is less than 4, the parameter is considered invalid.
> >
> > Reported-by: syzbot+837ba09d9db969068367@syzkaller.appspotmail.com
> > Reported-by: syzbot+b71011ec0a23f4d15625@syzkaller.appspotmail.com
> > Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com
> > Signed-off-by: Edward Adam Davis <eadavis@qq.com>
>
>
> I think I gave my feedback already.
>
> Please do not ignore maintainers feedback.
>
> This patch is absolutely wrong.
>
> Some setsockopt() deal with optlen == 1 just fine, thank you very much.
It's better to use evidence to support your claim, rather than your "maintainer" title.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] Bluetooth: fix oob in rfcomm_sock_setsockopt
2024-04-09 13:36 ` [PATCH] Bluetooth: fix oob in rfcomm_sock_setsockopt Edward Adam Davis
@ 2024-04-09 14:11 ` Luiz Augusto von Dentz
2024-04-09 14:12 ` bluez.test.bot
1 sibling, 0 replies; 17+ messages in thread
From: Luiz Augusto von Dentz @ 2024-04-09 14:11 UTC (permalink / raw)
To: Edward Adam Davis
Cc: eric.dumazet, edumazet, johan.hedberg, linux-bluetooth,
linux-kernel, marcel, netdev, pmenzel,
syzbot+d4ecae01a53fd9b42e7d, syzkaller-bugs
Hi Edward,
On Tue, Apr 9, 2024 at 9:36 AM Edward Adam Davis <eadavis@qq.com> wrote:
>
> If optlen < sizeof(u32) it will trigger oob, so take the min of them.
>
> Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> net/bluetooth/rfcomm/sock.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
> index b54e8a530f55..42c55c756b51 100644
> --- a/net/bluetooth/rfcomm/sock.c
> +++ b/net/bluetooth/rfcomm/sock.c
> @@ -629,7 +629,7 @@ static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname,
>
> switch (optname) {
> case RFCOMM_LM:
> - if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
> + if (copy_from_sockptr(&opt, optval, min_t(int, sizeof(u32), optlen))) {
> err = -EFAULT;
> break;
> }
> --
> 2.43.0
This has been dealt with already:
https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=ee77912bc0bbd78fceb785a81cc9108fa954982f
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 17+ messages in thread
* RE: Bluetooth: fix oob in rfcomm_sock_setsockopt
2024-04-09 13:36 ` [PATCH] Bluetooth: fix oob in rfcomm_sock_setsockopt Edward Adam Davis
2024-04-09 14:11 ` Luiz Augusto von Dentz
@ 2024-04-09 14:12 ` bluez.test.bot
1 sibling, 0 replies; 17+ messages in thread
From: bluez.test.bot @ 2024-04-09 14:12 UTC (permalink / raw)
To: linux-bluetooth, eadavis
[-- Attachment #1: Type: text/plain, Size: 556 bytes --]
This is an automated email and please do not reply to this email.
Dear Submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.
----- Output -----
error: patch failed: net/bluetooth/rfcomm/sock.c:629
error: net/bluetooth/rfcomm/sock.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch
Please resolve the issue and submit the patches again.
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] net/socket: Ensure length of input socket option param >= sizeof(int)
2024-04-09 14:01 ` [PATCH] net/socket: Ensure length of input socket option param >= sizeof(int) Edward Adam Davis
@ 2024-04-09 14:17 ` Eric Dumazet
2024-04-09 18:27 ` Jakub Kicinski
1 sibling, 0 replies; 17+ messages in thread
From: Eric Dumazet @ 2024-04-09 14:17 UTC (permalink / raw)
To: Edward Adam Davis
Cc: eric.dumazet, johan.hedberg, linux-bluetooth, linux-kernel,
luiz.dentz, marcel, netdev, pmenzel, syzbot+d4ecae01a53fd9b42e7d,
syzkaller-bugs
On Tue, Apr 9, 2024 at 4:02 PM Edward Adam Davis <eadavis@qq.com> wrote:
>
> On Tue, 9 Apr 2024 15:07:41 +0200, Eric Dumazet wrote:
> > > The optlen value passed by syzbot to _sys_setsockopt() is 2, which results in
> > > only 2 bytes being allocated when allocating memory to kernel_optval, and the
> > > optval size passed when calling the function copy_from_sockptr() is 4 bytes.
> > > Here, optlen is determined uniformly in the entry function __sys_setsockopt().
> > > If its value is less than 4, the parameter is considered invalid.
> > >
> > > Reported-by: syzbot+837ba09d9db969068367@syzkaller.appspotmail.com
> > > Reported-by: syzbot+b71011ec0a23f4d15625@syzkaller.appspotmail.com
> > > Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com
> > > Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> >
> >
> > I think I gave my feedback already.
> >
> > Please do not ignore maintainers feedback.
> >
> > This patch is absolutely wrong.
> >
> > Some setsockopt() deal with optlen == 1 just fine, thank you very much.
> It's better to use evidence to support your claim, rather than your "maintainer" title.
I will answer since you ask so nicely,
but if you plan sending linux kernel patches, I suggest you look in
the source code.
Look at do_ip_setsockopt(), which is one of the most used setsockopt()
in the world.
The code is at least 20 years old.
It even supports optlen == 0
if (optlen >= sizeof(int)) {
if (copy_from_sockptr(&val, optval, sizeof(val)))
return -EFAULT;
} else if (optlen >= sizeof(char)) {
unsigned char ucval;
if (copy_from_sockptr(&ucval, optval, sizeof(ucval)))
return -EFAULT;
val = (int) ucval;
}
}
/* If optlen==0, it is equivalent to val == 0 */
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] net/socket: Ensure length of input socket option param >= sizeof(int)
2024-04-09 14:01 ` [PATCH] net/socket: Ensure length of input socket option param >= sizeof(int) Edward Adam Davis
2024-04-09 14:17 ` Eric Dumazet
@ 2024-04-09 18:27 ` Jakub Kicinski
1 sibling, 0 replies; 17+ messages in thread
From: Jakub Kicinski @ 2024-04-09 18:27 UTC (permalink / raw)
To: Edward Adam Davis
Cc: eric.dumazet, edumazet, johan.hedberg, linux-bluetooth,
linux-kernel, luiz.dentz, marcel, netdev, pmenzel,
syzbot+d4ecae01a53fd9b42e7d, syzkaller-bugs
On Tue, 9 Apr 2024 22:01:45 +0800 Edward Adam Davis wrote:
> > I think I gave my feedback already.
> >
> > Please do not ignore maintainers feedback.
> >
> > This patch is absolutely wrong.
> >
> > Some setsockopt() deal with optlen == 1 just fine, thank you very much.
>
> It's better to use evidence to support your claim, rather than your "maintainer" title.
Run selftests.
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2024-04-09 18:27 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-05 6:55 [syzbot] [bluetooth?] KASAN: slab-out-of-bounds Read in rfcomm_sock_setsockopt syzbot
2024-04-05 9:30 ` Edward Adam Davis
2024-04-06 0:52 ` syzbot
2024-04-05 10:16 ` [PATCH] net/socket: the length value of the input socket option parameter is too small Edward Adam Davis
2024-04-05 10:56 ` bluez.test.bot
2024-04-05 11:08 ` [PATCH] " Paul Menzel
2024-04-09 12:15 ` [PATCH] net/socket: Ensure length of input socket option param >= sizeof(int) Edward Adam Davis
2024-04-09 13:07 ` Eric Dumazet
2024-04-09 13:25 ` Luiz Augusto von Dentz
2024-04-09 13:36 ` [PATCH] Bluetooth: fix oob in rfcomm_sock_setsockopt Edward Adam Davis
2024-04-09 14:11 ` Luiz Augusto von Dentz
2024-04-09 14:12 ` bluez.test.bot
2024-04-09 14:01 ` [PATCH] net/socket: Ensure length of input socket option param >= sizeof(int) Edward Adam Davis
2024-04-09 14:17 ` Eric Dumazet
2024-04-09 18:27 ` Jakub Kicinski
2024-04-09 13:08 ` bluez.test.bot
2024-04-05 11:39 ` [PATCH] net/socket: the length value of the input socket option parameter is too small Eric Dumazet
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.