linux-bluetooth.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Marcel Holtmann <marcel@holtmann.org>
To: Matias Karhumaa <matias.karhumaa@gmail.com>
Cc: Johan Hedberg <johan.hedberg@gmail.com>, linux-bluetooth@vger.kernel.org
Subject: Re: [PATCH] Bluetooth: Check state in l2cap_disconnect_rsp
Date: Sat, 6 Jul 2019 15:24:00 +0200	[thread overview]
Message-ID: <BA19D8C4-BE85-48AB-B5F4-3DE003C65320@holtmann.org> (raw)
In-Reply-To: <20190521100722.GA15063@makarhum-Latitude-E5440>

Hi Matias,

> Because of both sides doing L2CAP disconnection at the same time, it
> was possible to receive L2CAP Disconnection Response with CID that was
> already freed. That caused problems if CID was already reused and L2CAP
> Connection Request with same CID was sent out. Before this patch kernel
> deleted channel context regardless of the state of the channel.
> 
> Example where leftover Disconnection Response (frame #402) causes local
> device to delete L2CAP channel which was not yet connected. This in
> turn confuses remote device's stack because same CID is re-used without
> properly disconnecting.
> 
> Btmon capture before patch:
> ** snip **
>> ACL Data RX: Handle 43 flags 0x02 dlen 8                #394 [hci1] 10.748949
>      Channel: 65 len 4 [PSM 3 mode 0] {chan 2}
>      RFCOMM: Disconnect (DISC) (0x43)
>         Address: 0x03 cr 1 dlci 0x00
>         Control: 0x53 poll/final 1
>         Length: 0
>         FCS: 0xfd
> < ACL Data TX: Handle 43 flags 0x00 dlen 8                #395 [hci1] 10.749062
>      Channel: 65 len 4 [PSM 3 mode 0] {chan 2}
>      RFCOMM: Unnumbered Ack (UA) (0x63)
>         Address: 0x03 cr 1 dlci 0x00
>         Control: 0x73 poll/final 1
>         Length: 0
>         FCS: 0xd7
> < ACL Data TX: Handle 43 flags 0x00 dlen 12               #396 [hci1] 10.749073
>      L2CAP: Disconnection Request (0x06) ident 17 len 4
>        Destination CID: 65
>        Source CID: 65
>> HCI Event: Number of Completed Packets (0x13) plen 5    #397 [hci1] 10.752391
>        Num handles: 1
>        Handle: 43
>        Count: 1
>> HCI Event: Number of Completed Packets (0x13) plen 5    #398 [hci1] 10.753394
>        Num handles: 1
>        Handle: 43
>        Count: 1
>> ACL Data RX: Handle 43 flags 0x02 dlen 12               #399 [hci1] 10.756499
>      L2CAP: Disconnection Request (0x06) ident 26 len 4
>        Destination CID: 65
>        Source CID: 65
> < ACL Data TX: Handle 43 flags 0x00 dlen 12               #400 [hci1] 10.756548
>      L2CAP: Disconnection Response (0x07) ident 26 len 4
>        Destination CID: 65
>        Source CID: 65
> < ACL Data TX: Handle 43 flags 0x00 dlen 12               #401 [hci1] 10.757459
>      L2CAP: Connection Request (0x02) ident 18 len 4
>        PSM: 1 (0x0001)
>        Source CID: 65
>> ACL Data RX: Handle 43 flags 0x02 dlen 12               #402 [hci1] 10.759148
>      L2CAP: Disconnection Response (0x07) ident 17 len 4
>        Destination CID: 65
>        Source CID: 65
> = bluetoothd: 00:1E:AB:4C:56:54: error updating services: Input/o..   10.759447
>> HCI Event: Number of Completed Packets (0x13) plen 5    #403 [hci1] 10.759386
>        Num handles: 1
>        Handle: 43
>        Count: 1
>> ACL Data RX: Handle 43 flags 0x02 dlen 12               #404 [hci1] 10.760397
>      L2CAP: Connection Request (0x02) ident 27 len 4
>        PSM: 3 (0x0003)
>        Source CID: 65
> < ACL Data TX: Handle 43 flags 0x00 dlen 16               #405 [hci1] 10.760441
>      L2CAP: Connection Response (0x03) ident 27 len 8
>        Destination CID: 65
>        Source CID: 65
>        Result: Connection successful (0x0000)
>        Status: No further information available (0x0000)
> < ACL Data TX: Handle 43 flags 0x00 dlen 27               #406 [hci1] 10.760449
>      L2CAP: Configure Request (0x04) ident 19 len 19
>        Destination CID: 65
>        Flags: 0x0000
>        Option: Maximum Transmission Unit (0x01) [mandatory]
>          MTU: 1013
>        Option: Retransmission and Flow Control (0x04) [mandatory]
>          Mode: Basic (0x00)
>          TX window size: 0
>          Max transmit: 0
>          Retransmission timeout: 0
>          Monitor timeout: 0
>          Maximum PDU size: 0
>> HCI Event: Number of Completed Packets (0x13) plen 5    #407 [hci1] 10.761399
>        Num handles: 1
>        Handle: 43
>        Count: 1
>> ACL Data RX: Handle 43 flags 0x02 dlen 16               #408 [hci1] 10.762942
>      L2CAP: Connection Response (0x03) ident 18 len 8
>        Destination CID: 66
>        Source CID: 65
>        Result: Connection successful (0x0000)
>        Status: No further information available (0x0000)
> *snip*
> 
> Similar case after the patch:
> *snip*
>> ACL Data RX: Handle 43 flags 0x02 dlen 8            #22702 [hci0] 1664.411056
>      Channel: 65 len 4 [PSM 3 mode 0] {chan 3}
>      RFCOMM: Disconnect (DISC) (0x43)
>         Address: 0x03 cr 1 dlci 0x00
>         Control: 0x53 poll/final 1
>         Length: 0
>         FCS: 0xfd
> < ACL Data TX: Handle 43 flags 0x00 dlen 8            #22703 [hci0] 1664.411136
>      Channel: 65 len 4 [PSM 3 mode 0] {chan 3}
>      RFCOMM: Unnumbered Ack (UA) (0x63)
>         Address: 0x03 cr 1 dlci 0x00
>         Control: 0x73 poll/final 1
>         Length: 0
>         FCS: 0xd7
> < ACL Data TX: Handle 43 flags 0x00 dlen 12           #22704 [hci0] 1664.411143
>      L2CAP: Disconnection Request (0x06) ident 11 len 4
>        Destination CID: 65
>        Source CID: 65
>> HCI Event: Number of Completed Pac.. (0x13) plen 5  #22705 [hci0] 1664.414009
>        Num handles: 1
>        Handle: 43
>        Count: 1
>> HCI Event: Number of Completed Pac.. (0x13) plen 5  #22706 [hci0] 1664.415007
>        Num handles: 1
>        Handle: 43
>        Count: 1
>> ACL Data RX: Handle 43 flags 0x02 dlen 12           #22707 [hci0] 1664.418674
>      L2CAP: Disconnection Request (0x06) ident 17 len 4
>        Destination CID: 65
>        Source CID: 65
> < ACL Data TX: Handle 43 flags 0x00 dlen 12           #22708 [hci0] 1664.418762
>      L2CAP: Disconnection Response (0x07) ident 17 len 4
>        Destination CID: 65
>        Source CID: 65
> < ACL Data TX: Handle 43 flags 0x00 dlen 12           #22709 [hci0] 1664.421073
>      L2CAP: Connection Request (0x02) ident 12 len 4
>        PSM: 1 (0x0001)
>        Source CID: 65
>> ACL Data RX: Handle 43 flags 0x02 dlen 12           #22710 [hci0] 1664.421371
>      L2CAP: Disconnection Response (0x07) ident 11 len 4
>        Destination CID: 65
>        Source CID: 65
>> HCI Event: Number of Completed Pac.. (0x13) plen 5  #22711 [hci0] 1664.424082
>        Num handles: 1
>        Handle: 43
>        Count: 1
>> HCI Event: Number of Completed Pac.. (0x13) plen 5  #22712 [hci0] 1664.425040
>        Num handles: 1
>        Handle: 43
>        Count: 1
>> ACL Data RX: Handle 43 flags 0x02 dlen 12           #22713 [hci0] 1664.426103
>      L2CAP: Connection Request (0x02) ident 18 len 4
>        PSM: 3 (0x0003)
>        Source CID: 65
> < ACL Data TX: Handle 43 flags 0x00 dlen 16           #22714 [hci0] 1664.426186
>      L2CAP: Connection Response (0x03) ident 18 len 8
>        Destination CID: 66
>        Source CID: 65
>        Result: Connection successful (0x0000)
>        Status: No further information available (0x0000)
> < ACL Data TX: Handle 43 flags 0x00 dlen 27           #22715 [hci0] 1664.426196
>      L2CAP: Configure Request (0x04) ident 13 len 19
>        Destination CID: 65
>        Flags: 0x0000
>        Option: Maximum Transmission Unit (0x01) [mandatory]
>          MTU: 1013
>        Option: Retransmission and Flow Control (0x04) [mandatory]
>          Mode: Basic (0x00)
>          TX window size: 0
>          Max transmit: 0
>          Retransmission timeout: 0
>          Monitor timeout: 0
>          Maximum PDU size: 0
>> ACL Data RX: Handle 43 flags 0x02 dlen 16           #22716 [hci0] 1664.428804
>      L2CAP: Connection Response (0x03) ident 12 len 8
>        Destination CID: 66
>        Source CID: 65
>        Result: Connection successful (0x0000)
>        Status: No further information available (0x0000)
> *snip*
> 
> Fix is to check that channel is in state BT_DISCONN before deleting the
> channel.
> 
> This bug was found while fuzzing Bluez's OBEX implementation using
> Synopsys Defensics.
> 
> Reported-by: Matti Kamunen <matti.kamunen@synopsys.com>
> Reported-by: Ari Timonen <ari.timonen@synopsys.com>
> Signed-off-by: Matias Karhumaa <matias.karhumaa@gmail.com>
> ---
> net/bluetooth/l2cap_core.c | 6 ++++++
> 1 file changed, 6 insertions(+)

patch has been applied to bluetooth-next tree.

Regards

Marcel


      parent reply	other threads:[~2019-07-06 13:24 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-21 10:07 [PATCH] Bluetooth: Check state in l2cap_disconnect_rsp Matias Karhumaa
2019-07-06 10:07 ` Matias Karhumaa
2019-07-06 13:24 ` Marcel Holtmann [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=BA19D8C4-BE85-48AB-B5F4-3DE003C65320@holtmann.org \
    --to=marcel@holtmann.org \
    --cc=johan.hedberg@gmail.com \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=matias.karhumaa@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).