From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Matias Karhumaa <matias.karhumaa@gmail.com>,
Johan Hedberg <johan.hedberg@intel.com>,
Marcel Holtmann <marcel@holtmann.org>,
Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH AUTOSEL 4.18 21/48] Bluetooth: Use correct tfm to generate OOB data
Date: Fri, 5 Oct 2018 12:13:57 -0400 [thread overview]
Message-ID: <20181005161424.20521-21-sashal@kernel.org> (raw)
In-Reply-To: <20181005161424.20521-1-sashal@kernel.org>
From: Matias Karhumaa <matias.karhumaa@gmail.com>
[ Upstream commit 4ba5175f2c10affd412fa41855cecda02b66cd71 ]
In case local OOB data was generated and other device initiated pairing
claiming that it has got OOB data, following crash occurred:
[ 222.847853] general protection fault: 0000 [#1] SMP PTI
[ 222.848025] CPU: 1 PID: 42 Comm: kworker/u5:0 Tainted: G C 4.18.0-custom #4
[ 222.848158] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 222.848307] Workqueue: hci0 hci_rx_work [bluetooth]
[ 222.848416] RIP: 0010:compute_ecdh_secret+0x5a/0x270 [bluetooth]
[ 222.848540] Code: 0c af f5 48 8b 3d 46 de f0 f6 ba 40 00 00 00 be c0 00 60 00 e8 b7 7b c5 f5 48 85 c0 0f 84 ea 01 00 00 48 89 c3 e8 16 0c af f5 <49> 8b 47 38 be c0 00 60 00 8b 78 f8 48 83 c7 48 e8 51 84 c5 f5 48
[ 222.848914] RSP: 0018:ffffb1664087fbc0 EFLAGS: 00010293
[ 222.849021] RAX: ffff8a5750d7dc00 RBX: ffff8a5671096780 RCX: ffffffffc08bc32a
[ 222.849111] RDX: 0000000000000000 RSI: 00000000006000c0 RDI: ffff8a5752003800
[ 222.849192] RBP: ffffb1664087fc60 R08: ffff8a57525280a0 R09: ffff8a5752003800
[ 222.849269] R10: ffffb1664087fc70 R11: 0000000000000093 R12: ffff8a5674396e00
[ 222.849350] R13: ffff8a574c2e79aa R14: ffff8a574c2e796a R15: 020e0e100d010101
[ 222.849429] FS: 0000000000000000(0000) GS:ffff8a5752500000(0000) knlGS:0000000000000000
[ 222.849518] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 222.849586] CR2: 000055856016a038 CR3: 0000000110d2c005 CR4: 00000000000606e0
[ 222.849671] Call Trace:
[ 222.849745] ? sc_send_public_key+0x110/0x2a0 [bluetooth]
[ 222.849825] ? sc_send_public_key+0x115/0x2a0 [bluetooth]
[ 222.849925] smp_recv_cb+0x959/0x2490 [bluetooth]
[ 222.850023] ? _cond_resched+0x19/0x40
[ 222.850105] ? mutex_lock+0x12/0x40
[ 222.850202] l2cap_recv_frame+0x109d/0x3420 [bluetooth]
[ 222.850315] ? l2cap_recv_frame+0x109d/0x3420 [bluetooth]
[ 222.850426] ? __switch_to_asm+0x34/0x70
[ 222.850515] ? __switch_to_asm+0x40/0x70
[ 222.850625] ? __switch_to_asm+0x34/0x70
[ 222.850724] ? __switch_to_asm+0x40/0x70
[ 222.850786] ? __switch_to_asm+0x34/0x70
[ 222.850846] ? __switch_to_asm+0x40/0x70
[ 222.852581] ? __switch_to_asm+0x34/0x70
[ 222.854976] ? __switch_to_asm+0x40/0x70
[ 222.857475] ? __switch_to_asm+0x40/0x70
[ 222.859775] ? __switch_to_asm+0x34/0x70
[ 222.861218] ? __switch_to_asm+0x40/0x70
[ 222.862327] ? __switch_to_asm+0x34/0x70
[ 222.863758] l2cap_recv_acldata+0x266/0x3c0 [bluetooth]
[ 222.865122] hci_rx_work+0x1c9/0x430 [bluetooth]
[ 222.867144] process_one_work+0x210/0x4c0
[ 222.868248] worker_thread+0x41/0x4d0
[ 222.869420] kthread+0x141/0x160
[ 222.870694] ? process_one_work+0x4c0/0x4c0
[ 222.871668] ? kthread_create_worker_on_cpu+0x90/0x90
[ 222.872896] ret_from_fork+0x35/0x40
[ 222.874132] Modules linked in: algif_hash algif_skcipher af_alg rfcomm bnep btusb btrtl btbcm btintel snd_intel8x0 cmac intel_rapl_perf vboxvideo(C) snd_ac97_codec bluetooth ac97_bus joydev ttm snd_pcm ecdh_generic drm_kms_helper snd_timer snd input_leds drm serio_raw fb_sys_fops soundcore syscopyarea sysfillrect sysimgblt mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper ahci psmouse libahci i2c_piix4 video e1000 pata_acpi
[ 222.883153] fbcon_switch: detected unhandled fb_set_par error, error code -16
[ 222.886774] fbcon_switch: detected unhandled fb_set_par error, error code -16
[ 222.890503] ---[ end trace 6504aa7a777b5316 ]---
[ 222.890541] RIP: 0010:compute_ecdh_secret+0x5a/0x270 [bluetooth]
[ 222.890551] Code: 0c af f5 48 8b 3d 46 de f0 f6 ba 40 00 00 00 be c0 00 60 00 e8 b7 7b c5 f5 48 85 c0 0f 84 ea 01 00 00 48 89 c3 e8 16 0c af f5 <49> 8b 47 38 be c0 00 60 00 8b 78 f8 48 83 c7 48 e8 51 84 c5 f5 48
[ 222.890555] RSP: 0018:ffffb1664087fbc0 EFLAGS: 00010293
[ 222.890561] RAX: ffff8a5750d7dc00 RBX: ffff8a5671096780 RCX: ffffffffc08bc32a
[ 222.890565] RDX: 0000000000000000 RSI: 00000000006000c0 RDI: ffff8a5752003800
[ 222.890571] RBP: ffffb1664087fc60 R08: ffff8a57525280a0 R09: ffff8a5752003800
[ 222.890576] R10: ffffb1664087fc70 R11: 0000000000000093 R12: ffff8a5674396e00
[ 222.890581] R13: ffff8a574c2e79aa R14: ffff8a574c2e796a R15: 020e0e100d010101
[ 222.890586] FS: 0000000000000000(0000) GS:ffff8a5752500000(0000) knlGS:0000000000000000
[ 222.890591] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 222.890594] CR2: 000055856016a038 CR3: 0000000110d2c005 CR4: 00000000000606e0
This commit fixes a bug where invalid pointer to crypto tfm was used for
SMP SC ECDH calculation when OOB was in use. Solution is to use same
crypto tfm than when generating OOB material on generate_oob() function.
This bug was introduced in commit c0153b0b901a ("Bluetooth: let the crypto
subsystem generate the ecc privkey"). Bug was found by fuzzing kernel SMP
implementation using Synopsys Defensics.
Signed-off-by: Matias Karhumaa <matias.karhumaa@gmail.com>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
net/bluetooth/smp.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 9752879fdd3a..3a7b0773536b 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -2700,7 +2700,13 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
* key was set/generated.
*/
if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
- struct smp_dev *smp_dev = chan->data;
+ struct l2cap_chan *hchan = hdev->smp_data;
+ struct smp_dev *smp_dev;
+
+ if (!hchan || !hchan->data)
+ return SMP_UNSPECIFIED;
+
+ smp_dev = hchan->data;
tfm_ecdh = smp_dev->tfm_ecdh;
} else {
--
2.17.1
next prev parent reply other threads:[~2018-10-05 16:14 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-05 16:13 [PATCH AUTOSEL 4.18 01/48] ASoC: dapm: Fix NULL pointer deference on CODEC to CODEC DAIs Sasha Levin
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 02/48] ASoC: max98373: Added speaker FS gain cotnrol register to volatile Sasha Levin
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 03/48] ASoC: rt5514: Fix the issue of the delay volume applied again Sasha Levin
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 04/48] selftests: android: move config up a level Sasha Levin
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 05/48] selftests: kselftest: Remove outdated comment Sasha Levin
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 06/48] ASoC: max98373: Added 10ms sleep after amp software reset Sasha Levin
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 07/48] ASoC: wm8804: Add ACPI support Sasha Levin
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 08/48] ASoC: sigmadsp: safeload should not have lower byte limit Sasha Levin
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 09/48] ASoC: q6routing: initialize data correctly Sasha Levin
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 10/48] selftests: add headers_install to lib.mk Sasha Levin
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 11/48] selftests/efivarfs: add required kernel configs Sasha Levin
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 12/48] selftests: memory-hotplug: add required configs Sasha Levin
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 13/48] ASoC: rsnd: adg: care clock-frequency size Sasha Levin
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 14/48] ASoC: rsnd: don't fallback to PIO mode when -EPROBE_DEFER Sasha Levin
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 15/48] hwmon: (nct6775) Fix access to fan pulse registers Sasha Levin
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 16/48] Fix cg_read_strcmp() Sasha Levin
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 17/48] Add tests for memory.oom.group Sasha Levin
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 18/48] ASoC: AMD: Ensure reset bit is cleared before configuring Sasha Levin
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 19/48] drm/pl111: Make sure of_device_id tables are NULL terminated Sasha Levin
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 20/48] Bluetooth: SMP: Fix trying to use non-existent local OOB data Sasha Levin
2018-10-05 16:13 ` Sasha Levin [this message]
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 22/48] Bluetooth: hci_ldisc: Free rw_semaphore on close Sasha Levin
2018-10-05 16:13 ` [PATCH AUTOSEL 4.18 23/48] mfd: omap-usb-host: Fix dts probe of children Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 24/48] KVM: PPC: Book3S HV: Don't use compound_order to determine host mapping size Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 24/48] KVM: PPC: Book3S HV: Don't use compound_order to determine host mapping s Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 24/48] KVM: PPC: Book3S HV: Don't use compound_order to determine host mapping size Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 25/48] scsi: iscsi: target: Don't use stack buffer for scatterlist Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 26/48] scsi: qla2xxx: Fix an endian bug in fcpcmd_is_corrupted() Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 27/48] sound: enable interrupt after dma buffer initialization Sasha Levin
2018-10-08 9:34 ` Mark Brown
2018-10-08 9:36 ` Takashi Iwai
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 28/48] sound: don't call skl_init_chip() to reset intel skl soc Sasha Levin
2018-10-08 9:34 ` Mark Brown
2018-10-08 9:37 ` Takashi Iwai
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 29/48] bpf: btf: Fix end boundary calculation for type section Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 30/48] bpf: use __GFP_COMP while allocating page Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 31/48] hwmon: (nct6775) Fix virtual temperature sources for NCT6796D Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 32/48] hwmon: (nct6775) Fix RPM output for fan7 on NCT6796D Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 33/48] stmmac: fix valid numbers of unicast filter entries Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 34/48] hwmon: (nct6775) Use different register to get fan RPM for fan7 Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 35/48] net: ethernet: ti: add missing GENERIC_ALLOCATOR dependency Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 36/48] net: macb: disable scatter-gather for macb on sama5d3 Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 37/48] ARM: dts: at91: add new compatibility string " Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 38/48] PCI: hv: support reporting serial number as slot information Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 39/48] hv_netvsc: pair VF based on serial number Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 40/48] clk: x86: add "ether_clk" alias for Bay Trail / Cherry Trail Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 41/48] clk: x86: Stop marking clocks as CLK_IS_CRITICAL Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 42/48] pinctrl: cannonlake: Fix gpio base for GPP-E Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 43/48] x86/kvm/lapic: always disable MMIO interface in x2APIC mode Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 44/48] drm/amdgpu: Fix SDMA HQD destroy error on gfx_v7 Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 45/48] drm/amdkfd: Change the control stack MTYPE from UC to NC on GFX9 Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 46/48] drm/amdkfd: Fix ATS capablity was not reported correctly on some APUs Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 47/48] ubifs: Check for name being NULL while mounting Sasha Levin
2018-10-05 16:14 ` [PATCH AUTOSEL 4.18 48/48] mm: slowly shrink slabs with a relatively small number of objects Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181005161424.20521-21-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=alexander.levin@microsoft.com \
--cc=johan.hedberg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=matias.karhumaa@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.