* [PATCH] Bluetooth: Fix NULL pointer dereference in bt_sock_recvmsg
@ 2016-12-29 12:51 Ezequiel Garcia
2017-01-11 20:27 ` Ezequiel Garcia
2017-02-16 16:24 ` Marcel Holtmann
0 siblings, 2 replies; 4+ messages in thread
From: Ezequiel Garcia @ 2016-12-29 12:51 UTC (permalink / raw)
To: linux-bluetooth
Cc: Marcel Holtmann, Gustavo Padovan, Johan Hedberg, Ezequiel Garcia
As per the comment in include/linux/net.h, the recvfrom handlers
should expect msg_name to be NULL. However, bt_sock_recvmsg()
is currently not checking it, which could lead to a NULL pointer
dereference.
The following NULL pointer dereference was produced while testing
L2CAP datagram reception. Note that the kernel is tainted due to
the r8723bs module being inserted. However, it seems the fix still
applies.
$ l2test -r -G
l2test[326]: Receiving ...
Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = ee008000
[00000000] *pgd=7f896835
Internal error: Oops: 817 [#1] PREEMPT SMP ARM
Modules linked in: r8723bs(O)
CPU: 0 PID: 326 Comm: l2test Tainted: G O 4.8.0 #1
Hardware name: Allwinner sun7i (A20) Family
task: ef1c6880 task.stack: eea70000
PC is at __memzero+0x58/0x80
LR is at l2cap_skb_msg_name+0x1c/0x4c
pc : [<c02c47d8>] lr : [<c0506278>] psr: 00070013
sp : eea71e60 ip : 00000000 fp : 00034e1c
r10: 00000000 r9 : 00000000 r8 : eea71ed4
r7 : 000002a0 r6 : eea71ed8 r5 : 00000000 r4 : ee4a5d80
r3 : 00000000 r2 : 00000000 r1 : 0000000e r0 : 00000000
Flags: nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 10c5387d Table: 7600806a DAC: 00000051
Process l2test (pid: 326, stack limit = 0xeea70210)
Stack: (0xeea71e60 to 0xeea72000)
1e60: ee4a5d80 eeac2800 000002a0 c04d7114 173eefa0 00000000 c06ca68e 00000000
1e80: 00000001 eeac2800 eef23500 00000000 000002a0 eea71ed4 eea70000 c0504d50
1ea0: 00000000 00000000 eef23500 00000000 00000000 c044e8a0 eea71edc eea9f904
1ec0: bef89aa0 fffffff7 00000000 00035008 000002a0 00000000 00000000 00000000
1ee0: 00000000 00000000 eea71ed4 00000000 00000000 00000000 00004000 00000000
1f00: 0000011b c01078c4 eea70000 c044e5e4 00000000 00000000 642f0001 6c2f7665
1f20: 0000676f 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1f40: 00000000 00000000 00000000 00000000 00000000 ffffffff 00000001 bef89ad8
1f60: 000000a8 c01078c4 eea70000 00000000 00034e1c c01e6c74 00000000 00000000
1f80: 00034e1c 000341f8 00000000 00000123 c01078c4 c044e90c 00000000 00000000
1fa0: 000002a0 c0107700 00034e1c 000341f8 00000003 00035008 000002a0 00000000
1fc0: 00034e1c 000341f8 00000000 00000123 00000000 00000000 00011ffc 00034e1c
1fe0: 00000000 bef89aa4 0001211c b6eebb60 60070010 00000003 00000000 00000000
[<c02c47d8>] (__memzero) from [<c0506278>] (l2cap_skb_msg_name+0x1c/0x4c)
[<c0506278>] (l2cap_skb_msg_name) from [<c04d7114>] (bt_sock_recvmsg+0x128/0x160)
[<c04d7114>] (bt_sock_recvmsg) from [<c0504d50>] (l2cap_sock_recvmsg+0x98/0x134)
[<c0504d50>] (l2cap_sock_recvmsg) from [<c044e8a0>] (SyS_recvfrom+0x94/0xec)
[<c044e8a0>] (SyS_recvfrom) from [<c044e90c>] (SyS_recv+0x14/0x1c)
[<c044e90c>] (SyS_recv) from [<c0107700>] (ret_fast_syscall+0x0/0x3c)
Code: e3110010 18a0500c e49de004 e3110008 (18a0000c)
---[ end trace 224e35e79fe06b42 ]---
Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
---
net/bluetooth/af_bluetooth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index 1aff2da9bc74..cfb2faba46de 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -245,7 +245,7 @@ int bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
if (err == 0) {
sock_recv_ts_and_drops(msg, sk, skb);
- if (bt_sk(sk)->skb_msg_name)
+ if (msg->msg_name && bt_sk(sk)->skb_msg_name)
bt_sk(sk)->skb_msg_name(skb, msg->msg_name,
&msg->msg_namelen);
}
--
2.11.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] Bluetooth: Fix NULL pointer dereference in bt_sock_recvmsg
2016-12-29 12:51 [PATCH] Bluetooth: Fix NULL pointer dereference in bt_sock_recvmsg Ezequiel Garcia
@ 2017-01-11 20:27 ` Ezequiel Garcia
2017-01-23 15:36 ` Ezequiel Garcia
2017-02-16 16:24 ` Marcel Holtmann
1 sibling, 1 reply; 4+ messages in thread
From: Ezequiel Garcia @ 2017-01-11 20:27 UTC (permalink / raw)
To: linux-bluetooth
Cc: Marcel Holtmann, Gustavo Padovan, Johan Hedberg, Ezequiel Garcia
On 29 December 2016 at 09:51, Ezequiel Garcia
<ezequiel@vanguardiasur.com.ar> wrote:
> As per the comment in include/linux/net.h, the recvfrom handlers
> should expect msg_name to be NULL. However, bt_sock_recvmsg()
> is currently not checking it, which could lead to a NULL pointer
> dereference.
>
> The following NULL pointer dereference was produced while testing
> L2CAP datagram reception. Note that the kernel is tainted due to
> the r8723bs module being inserted. However, it seems the fix still
> applies.
>
> $ l2test -r -G
> l2test[326]: Receiving ...
> Unable to handle kernel NULL pointer dereference at virtual address 00000=
000
> pgd =3D ee008000
> [00000000] *pgd=3D7f896835
> Internal error: Oops: 817 [#1] PREEMPT SMP ARM
> Modules linked in: r8723bs(O)
> CPU: 0 PID: 326 Comm: l2test Tainted: G O 4.8.0 #1
> Hardware name: Allwinner sun7i (A20) Family
> task: ef1c6880 task.stack: eea70000
> PC is at __memzero+0x58/0x80
> LR is at l2cap_skb_msg_name+0x1c/0x4c
> pc : [<c02c47d8>] lr : [<c0506278>] psr: 00070013
> sp : eea71e60 ip : 00000000 fp : 00034e1c
> r10: 00000000 r9 : 00000000 r8 : eea71ed4
> r7 : 000002a0 r6 : eea71ed8 r5 : 00000000 r4 : ee4a5d80
> r3 : 00000000 r2 : 00000000 r1 : 0000000e r0 : 00000000
> Flags: nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
> Control: 10c5387d Table: 7600806a DAC: 00000051
> Process l2test (pid: 326, stack limit =3D 0xeea70210)
> Stack: (0xeea71e60 to 0xeea72000)
> 1e60: ee4a5d80 eeac2800 000002a0 c04d7114 173eefa0 00000000 c06ca68e 0000=
0000
> 1e80: 00000001 eeac2800 eef23500 00000000 000002a0 eea71ed4 eea70000 c050=
4d50
> 1ea0: 00000000 00000000 eef23500 00000000 00000000 c044e8a0 eea71edc eea9=
f904
> 1ec0: bef89aa0 fffffff7 00000000 00035008 000002a0 00000000 00000000 0000=
0000
> 1ee0: 00000000 00000000 eea71ed4 00000000 00000000 00000000 00004000 0000=
0000
> 1f00: 0000011b c01078c4 eea70000 c044e5e4 00000000 00000000 642f0001 6c2f=
7665
> 1f20: 0000676f 00000000 00000000 00000000 00000000 00000000 00000000 0000=
0000
> 1f40: 00000000 00000000 00000000 00000000 00000000 ffffffff 00000001 bef8=
9ad8
> 1f60: 000000a8 c01078c4 eea70000 00000000 00034e1c c01e6c74 00000000 0000=
0000
> 1f80: 00034e1c 000341f8 00000000 00000123 c01078c4 c044e90c 00000000 0000=
0000
> 1fa0: 000002a0 c0107700 00034e1c 000341f8 00000003 00035008 000002a0 0000=
0000
> 1fc0: 00034e1c 000341f8 00000000 00000123 00000000 00000000 00011ffc 0003=
4e1c
> 1fe0: 00000000 bef89aa4 0001211c b6eebb60 60070010 00000003 00000000 0000=
0000
> [<c02c47d8>] (__memzero) from [<c0506278>] (l2cap_skb_msg_name+0x1c/0x4c)
> [<c0506278>] (l2cap_skb_msg_name) from [<c04d7114>] (bt_sock_recvmsg+0x12=
8/0x160)
> [<c04d7114>] (bt_sock_recvmsg) from [<c0504d50>] (l2cap_sock_recvmsg+0x98=
/0x134)
> [<c0504d50>] (l2cap_sock_recvmsg) from [<c044e8a0>] (SyS_recvfrom+0x94/0x=
ec)
> [<c044e8a0>] (SyS_recvfrom) from [<c044e90c>] (SyS_recv+0x14/0x1c)
> [<c044e90c>] (SyS_recv) from [<c0107700>] (ret_fast_syscall+0x0/0x3c)
> Code: e3110010 18a0500c e49de004 e3110008 (18a0000c)
> ---[ end trace 224e35e79fe06b42 ]---
>
> Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
> ---
> net/bluetooth/af_bluetooth.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
> index 1aff2da9bc74..cfb2faba46de 100644
> --- a/net/bluetooth/af_bluetooth.c
> +++ b/net/bluetooth/af_bluetooth.c
> @@ -245,7 +245,7 @@ int bt_sock_recvmsg(struct socket *sock, struct msghd=
r *msg, size_t len,
> if (err =3D=3D 0) {
> sock_recv_ts_and_drops(msg, sk, skb);
>
> - if (bt_sk(sk)->skb_msg_name)
> + if (msg->msg_name && bt_sk(sk)->skb_msg_name)
> bt_sk(sk)->skb_msg_name(skb, msg->msg_name,
> &msg->msg_namelen);
> }
> --
> 2.11.0
>
Any feedback here?
--=20
Ezequiel Garc=C3=ADa, VanguardiaSur
www.vanguardiasur.com.ar
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] Bluetooth: Fix NULL pointer dereference in bt_sock_recvmsg
2017-01-11 20:27 ` Ezequiel Garcia
@ 2017-01-23 15:36 ` Ezequiel Garcia
0 siblings, 0 replies; 4+ messages in thread
From: Ezequiel Garcia @ 2017-01-23 15:36 UTC (permalink / raw)
To: linux-bluetooth, Andrew Morton
Cc: Marcel Holtmann, Gustavo Padovan, Johan Hedberg, Ezequiel Garcia
+Andrew
On 11 January 2017 at 17:27, Ezequiel Garcia
<ezequiel@vanguardiasur.com.ar> wrote:
> On 29 December 2016 at 09:51, Ezequiel Garcia
> <ezequiel@vanguardiasur.com.ar> wrote:
>> As per the comment in include/linux/net.h, the recvfrom handlers
>> should expect msg_name to be NULL. However, bt_sock_recvmsg()
>> is currently not checking it, which could lead to a NULL pointer
>> dereference.
>>
>> The following NULL pointer dereference was produced while testing
>> L2CAP datagram reception. Note that the kernel is tainted due to
>> the r8723bs module being inserted. However, it seems the fix still
>> applies.
>>
>> $ l2test -r -G
>> l2test[326]: Receiving ...
>> Unable to handle kernel NULL pointer dereference at virtual address 0000=
0000
>> pgd =3D ee008000
>> [00000000] *pgd=3D7f896835
>> Internal error: Oops: 817 [#1] PREEMPT SMP ARM
>> Modules linked in: r8723bs(O)
>> CPU: 0 PID: 326 Comm: l2test Tainted: G O 4.8.0 #1
>> Hardware name: Allwinner sun7i (A20) Family
>> task: ef1c6880 task.stack: eea70000
>> PC is at __memzero+0x58/0x80
>> LR is at l2cap_skb_msg_name+0x1c/0x4c
>> pc : [<c02c47d8>] lr : [<c0506278>] psr: 00070013
>> sp : eea71e60 ip : 00000000 fp : 00034e1c
>> r10: 00000000 r9 : 00000000 r8 : eea71ed4
>> r7 : 000002a0 r6 : eea71ed8 r5 : 00000000 r4 : ee4a5d80
>> r3 : 00000000 r2 : 00000000 r1 : 0000000e r0 : 00000000
>> Flags: nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
>> Control: 10c5387d Table: 7600806a DAC: 00000051
>> Process l2test (pid: 326, stack limit =3D 0xeea70210)
>> Stack: (0xeea71e60 to 0xeea72000)
>> 1e60: ee4a5d80 eeac2800 000002a0 c04d7114 173eefa0 00000000 c06ca68e 000=
00000
>> 1e80: 00000001 eeac2800 eef23500 00000000 000002a0 eea71ed4 eea70000 c05=
04d50
>> 1ea0: 00000000 00000000 eef23500 00000000 00000000 c044e8a0 eea71edc eea=
9f904
>> 1ec0: bef89aa0 fffffff7 00000000 00035008 000002a0 00000000 00000000 000=
00000
>> 1ee0: 00000000 00000000 eea71ed4 00000000 00000000 00000000 00004000 000=
00000
>> 1f00: 0000011b c01078c4 eea70000 c044e5e4 00000000 00000000 642f0001 6c2=
f7665
>> 1f20: 0000676f 00000000 00000000 00000000 00000000 00000000 00000000 000=
00000
>> 1f40: 00000000 00000000 00000000 00000000 00000000 ffffffff 00000001 bef=
89ad8
>> 1f60: 000000a8 c01078c4 eea70000 00000000 00034e1c c01e6c74 00000000 000=
00000
>> 1f80: 00034e1c 000341f8 00000000 00000123 c01078c4 c044e90c 00000000 000=
00000
>> 1fa0: 000002a0 c0107700 00034e1c 000341f8 00000003 00035008 000002a0 000=
00000
>> 1fc0: 00034e1c 000341f8 00000000 00000123 00000000 00000000 00011ffc 000=
34e1c
>> 1fe0: 00000000 bef89aa4 0001211c b6eebb60 60070010 00000003 00000000 000=
00000
>> [<c02c47d8>] (__memzero) from [<c0506278>] (l2cap_skb_msg_name+0x1c/0x4c=
)
>> [<c0506278>] (l2cap_skb_msg_name) from [<c04d7114>] (bt_sock_recvmsg+0x1=
28/0x160)
>> [<c04d7114>] (bt_sock_recvmsg) from [<c0504d50>] (l2cap_sock_recvmsg+0x9=
8/0x134)
>> [<c0504d50>] (l2cap_sock_recvmsg) from [<c044e8a0>] (SyS_recvfrom+0x94/0=
xec)
>> [<c044e8a0>] (SyS_recvfrom) from [<c044e90c>] (SyS_recv+0x14/0x1c)
>> [<c044e90c>] (SyS_recv) from [<c0107700>] (ret_fast_syscall+0x0/0x3c)
>> Code: e3110010 18a0500c e49de004 e3110008 (18a0000c)
>> ---[ end trace 224e35e79fe06b42 ]---
>>
>> Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
>> ---
>> net/bluetooth/af_bluetooth.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
>> index 1aff2da9bc74..cfb2faba46de 100644
>> --- a/net/bluetooth/af_bluetooth.c
>> +++ b/net/bluetooth/af_bluetooth.c
>> @@ -245,7 +245,7 @@ int bt_sock_recvmsg(struct socket *sock, struct msgh=
dr *msg, size_t len,
>> if (err =3D=3D 0) {
>> sock_recv_ts_and_drops(msg, sk, skb);
>>
>> - if (bt_sk(sk)->skb_msg_name)
>> + if (msg->msg_name && bt_sk(sk)->skb_msg_name)
>> bt_sk(sk)->skb_msg_name(skb, msg->msg_name,
>> &msg->msg_namelen);
>> }
>> --
>> 2.11.0
>>
>
> Any feedback here?
Ping.
--=20
Ezequiel Garc=C3=ADa, VanguardiaSur
www.vanguardiasur.com.ar
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] Bluetooth: Fix NULL pointer dereference in bt_sock_recvmsg
2016-12-29 12:51 [PATCH] Bluetooth: Fix NULL pointer dereference in bt_sock_recvmsg Ezequiel Garcia
2017-01-11 20:27 ` Ezequiel Garcia
@ 2017-02-16 16:24 ` Marcel Holtmann
1 sibling, 0 replies; 4+ messages in thread
From: Marcel Holtmann @ 2017-02-16 16:24 UTC (permalink / raw)
To: Ezequiel Garcia; +Cc: linux-bluetooth, Gustavo F. Padovan, Johan Hedberg
Hi Ezequiel,
> As per the comment in include/linux/net.h, the recvfrom handlers
> should expect msg_name to be NULL. However, bt_sock_recvmsg()
> is currently not checking it, which could lead to a NULL pointer
> dereference.
>
> The following NULL pointer dereference was produced while testing
> L2CAP datagram reception. Note that the kernel is tainted due to
> the r8723bs module being inserted. However, it seems the fix still
> applies.
>
> $ l2test -r -G
> l2test[326]: Receiving ...
> Unable to handle kernel NULL pointer dereference at virtual address 00000000
> pgd = ee008000
> [00000000] *pgd=7f896835
> Internal error: Oops: 817 [#1] PREEMPT SMP ARM
> Modules linked in: r8723bs(O)
> CPU: 0 PID: 326 Comm: l2test Tainted: G O 4.8.0 #1
> Hardware name: Allwinner sun7i (A20) Family
> task: ef1c6880 task.stack: eea70000
> PC is at __memzero+0x58/0x80
> LR is at l2cap_skb_msg_name+0x1c/0x4c
> pc : [<c02c47d8>] lr : [<c0506278>] psr: 00070013
> sp : eea71e60 ip : 00000000 fp : 00034e1c
> r10: 00000000 r9 : 00000000 r8 : eea71ed4
> r7 : 000002a0 r6 : eea71ed8 r5 : 00000000 r4 : ee4a5d80
> r3 : 00000000 r2 : 00000000 r1 : 0000000e r0 : 00000000
> Flags: nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
> Control: 10c5387d Table: 7600806a DAC: 00000051
> Process l2test (pid: 326, stack limit = 0xeea70210)
> Stack: (0xeea71e60 to 0xeea72000)
> 1e60: ee4a5d80 eeac2800 000002a0 c04d7114 173eefa0 00000000 c06ca68e 00000000
> 1e80: 00000001 eeac2800 eef23500 00000000 000002a0 eea71ed4 eea70000 c0504d50
> 1ea0: 00000000 00000000 eef23500 00000000 00000000 c044e8a0 eea71edc eea9f904
> 1ec0: bef89aa0 fffffff7 00000000 00035008 000002a0 00000000 00000000 00000000
> 1ee0: 00000000 00000000 eea71ed4 00000000 00000000 00000000 00004000 00000000
> 1f00: 0000011b c01078c4 eea70000 c044e5e4 00000000 00000000 642f0001 6c2f7665
> 1f20: 0000676f 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 1f40: 00000000 00000000 00000000 00000000 00000000 ffffffff 00000001 bef89ad8
> 1f60: 000000a8 c01078c4 eea70000 00000000 00034e1c c01e6c74 00000000 00000000
> 1f80: 00034e1c 000341f8 00000000 00000123 c01078c4 c044e90c 00000000 00000000
> 1fa0: 000002a0 c0107700 00034e1c 000341f8 00000003 00035008 000002a0 00000000
> 1fc0: 00034e1c 000341f8 00000000 00000123 00000000 00000000 00011ffc 00034e1c
> 1fe0: 00000000 bef89aa4 0001211c b6eebb60 60070010 00000003 00000000 00000000
> [<c02c47d8>] (__memzero) from [<c0506278>] (l2cap_skb_msg_name+0x1c/0x4c)
> [<c0506278>] (l2cap_skb_msg_name) from [<c04d7114>] (bt_sock_recvmsg+0x128/0x160)
> [<c04d7114>] (bt_sock_recvmsg) from [<c0504d50>] (l2cap_sock_recvmsg+0x98/0x134)
> [<c0504d50>] (l2cap_sock_recvmsg) from [<c044e8a0>] (SyS_recvfrom+0x94/0xec)
> [<c044e8a0>] (SyS_recvfrom) from [<c044e90c>] (SyS_recv+0x14/0x1c)
> [<c044e90c>] (SyS_recv) from [<c0107700>] (ret_fast_syscall+0x0/0x3c)
> Code: e3110010 18a0500c e49de004 e3110008 (18a0000c)
> ---[ end trace 224e35e79fe06b42 ]---
>
> Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
> ---
> net/bluetooth/af_bluetooth.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
patch has been applied to bluetooth-next tree.
Regards
Marcel
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-02-16 16:24 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-29 12:51 [PATCH] Bluetooth: Fix NULL pointer dereference in bt_sock_recvmsg Ezequiel Garcia
2017-01-11 20:27 ` Ezequiel Garcia
2017-01-23 15:36 ` Ezequiel Garcia
2017-02-16 16:24 ` Marcel Holtmann
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.