* [PATCH] Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()
@ 2021-08-28 16:18 Takashi Iwai
2021-08-28 17:27 ` bluez.test.bot
2021-08-30 14:49 ` [PATCH] " Marcel Holtmann
0 siblings, 2 replies; 3+ messages in thread
From: Takashi Iwai @ 2021-08-28 16:18 UTC (permalink / raw)
To: Luiz Augusto von Dentz
Cc: Marcel Holtmann, Johan Hedberg, linux-bluetooth, linux-kernel
The sco_send_frame() also takes lock_sock() during memcpy_from_msg()
call that may be endlessly blocked by a task with userfaultd
technique, and this will result in a hung task watchdog trigger.
Just like the similar fix for hci_sock_sendmsg() in commit
92c685dc5de0 ("Bluetooth: reorganize functions..."), this patch moves
the memcpy_from_msg() out of lock_sock() for addressing the hang.
This should be the last piece for fixing CVE-2021-3640 after a few
already queued fixes.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
net/bluetooth/sco.c | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 98a881586512..687e05718aad 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -280,7 +280,8 @@ static int sco_connect(struct hci_dev *hdev, struct sock *sk)
return err;
}
-static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len)
+static int sco_send_frame(struct sock *sk, void *buf, int len,
+ unsigned int msg_flags)
{
struct sco_conn *conn = sco_pi(sk)->conn;
struct sk_buff *skb;
@@ -292,15 +293,11 @@ static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len)
BT_DBG("sk %p len %d", sk, len);
- skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
+ skb = bt_skb_send_alloc(sk, len, msg_flags & MSG_DONTWAIT, &err);
if (!skb)
return err;
- if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
- kfree_skb(skb);
- return -EFAULT;
- }
-
+ memcpy(skb_put(skb, len), buf, len);
hci_send_sco(conn->hcon, skb);
return len;
@@ -725,6 +722,7 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg,
size_t len)
{
struct sock *sk = sock->sk;
+ void *buf;
int err;
BT_DBG("sock %p, sk %p", sock, sk);
@@ -736,14 +734,23 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg,
if (msg->msg_flags & MSG_OOB)
return -EOPNOTSUPP;
+ buf = kmalloc(len, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+ if (memcpy_from_msg(buf, msg, len)) {
+ kfree(buf);
+ return -EFAULT;
+ }
+
lock_sock(sk);
if (sk->sk_state == BT_CONNECTED)
- err = sco_send_frame(sk, msg, len);
+ err = sco_send_frame(sk, buf, len, msg->msg_flags);
else
err = -ENOTCONN;
release_sock(sk);
+ kfree(buf);
return err;
}
--
2.26.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()
2021-08-28 16:18 [PATCH] Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg() Takashi Iwai
@ 2021-08-28 17:27 ` bluez.test.bot
2021-08-30 14:49 ` [PATCH] " Marcel Holtmann
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2021-08-28 17:27 UTC (permalink / raw)
To: linux-bluetooth, tiwai
[-- Attachment #1: Type: text/plain, Size: 2727 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=538733
---Test result---
Test Summary:
CheckPatch PASS 0.50 seconds
GitLint PASS 0.12 seconds
BuildKernel PASS 597.89 seconds
TestRunner: Setup PASS 405.71 seconds
TestRunner: l2cap-tester PASS 2.82 seconds
TestRunner: bnep-tester PASS 2.10 seconds
TestRunner: mgmt-tester PASS 32.10 seconds
TestRunner: rfcomm-tester PASS 2.39 seconds
TestRunner: sco-tester PASS 2.35 seconds
TestRunner: smp-tester FAIL 2.28 seconds
TestRunner: userchan-tester PASS 2.10 seconds
Details
##############################
Test: CheckPatch - PASS - 0.50 seconds
Run checkpatch.pl script with rule in .checkpatch.conf
##############################
Test: GitLint - PASS - 0.12 seconds
Run gitlint with rule in .gitlint
##############################
Test: BuildKernel - PASS - 597.89 seconds
Build Kernel with minimal configuration supports Bluetooth
##############################
Test: TestRunner: Setup - PASS - 405.71 seconds
Setup environment for running Test Runner
##############################
Test: TestRunner: l2cap-tester - PASS - 2.82 seconds
Run test-runner with l2cap-tester
Total: 40, Passed: 40 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: bnep-tester - PASS - 2.10 seconds
Run test-runner with bnep-tester
Total: 1, Passed: 1 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: mgmt-tester - PASS - 32.10 seconds
Run test-runner with mgmt-tester
Total: 452, Passed: 449 (99.3%), Failed: 0, Not Run: 3
##############################
Test: TestRunner: rfcomm-tester - PASS - 2.39 seconds
Run test-runner with rfcomm-tester
Total: 9, Passed: 9 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: sco-tester - PASS - 2.35 seconds
Run test-runner with sco-tester
Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: smp-tester - FAIL - 2.28 seconds
Run test-runner with smp-tester
Total: 8, Passed: 7 (87.5%), Failed: 1, Not Run: 0
Failed Test Cases
SMP Client - SC Request 2 Failed 0.022 seconds
##############################
Test: TestRunner: userchan-tester - PASS - 2.10 seconds
Run test-runner with userchan-tester
Total: 3, Passed: 3 (100.0%), Failed: 0, Not Run: 0
---
Regards,
Linux Bluetooth
[-- Attachment #2: l2cap-tester.log --]
[-- Type: application/octet-stream, Size: 44386 bytes --]
[-- Attachment #3: bnep-tester.log --]
[-- Type: application/octet-stream, Size: 3593 bytes --]
[-- Attachment #4: mgmt-tester.log --]
[-- Type: application/octet-stream, Size: 622239 bytes --]
[-- Attachment #5: rfcomm-tester.log --]
[-- Type: application/octet-stream, Size: 11713 bytes --]
[-- Attachment #6: sco-tester.log --]
[-- Type: application/octet-stream, Size: 9948 bytes --]
[-- Attachment #7: smp-tester.log --]
[-- Type: application/octet-stream, Size: 11741 bytes --]
[-- Attachment #8: userchan-tester.log --]
[-- Type: application/octet-stream, Size: 5490 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()
2021-08-28 16:18 [PATCH] Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg() Takashi Iwai
2021-08-28 17:27 ` bluez.test.bot
@ 2021-08-30 14:49 ` Marcel Holtmann
1 sibling, 0 replies; 3+ messages in thread
From: Marcel Holtmann @ 2021-08-30 14:49 UTC (permalink / raw)
To: Takashi Iwai
Cc: Luiz Augusto von Dentz, Johan Hedberg,
open list:BLUETOOTH SUBSYSTEM, open list
Hi Takashi,
> The sco_send_frame() also takes lock_sock() during memcpy_from_msg()
> call that may be endlessly blocked by a task with userfaultd
> technique, and this will result in a hung task watchdog trigger.
>
> Just like the similar fix for hci_sock_sendmsg() in commit
> 92c685dc5de0 ("Bluetooth: reorganize functions..."), this patch moves
> the memcpy_from_msg() out of lock_sock() for addressing the hang.
>
> This should be the last piece for fixing CVE-2021-3640 after a few
> already queued fixes.
>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> ---
> net/bluetooth/sco.c | 23 +++++++++++++++--------
> 1 file changed, 15 insertions(+), 8 deletions(-)
patch has been applied to bluetooth-next tree.
Regards
Marcel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-30 14:49 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-28 16:18 [PATCH] Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg() Takashi Iwai
2021-08-28 17:27 ` bluez.test.bot
2021-08-30 14:49 ` [PATCH] " Marcel Holtmann
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.