[Linux-kernel-mentees] How does syzkaller manage to create Bluetooth connections in a VM which doesn't have a Bluetooth device

[Linux-kernel-mentees] How does syzkaller manage to create Bluetooth connections in a VM which doesn't have a Bluetooth device

[Coiby Xu]

Hi,

I have been trying to fix this issue [1] found by syzbot. I notice the
extracted syzkaller reproducer could connect to another Bluetooth device
successfully because l2cap_chan_connect successfully returns.

// net/Bluetooth/l2cap_sock.c
static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
			      int alen, int flags)
{
	err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
				 &la.l2_bdaddr, la.l2_bdaddr_type);
}

However, if I use syz-prog2c to convert the syzkaller reproducer to a
C reproducer, the C reproducer could never make a socket connect call
successfully. So how does syzkaller manage to create Bluetooth connections
for the sykaller reproducer? I've understood why this issue [1] occurs
but haven't figured out how it occurs, i.e., what is the subtle race
condition. So I want to write a C reproducer to experiment on it.

[1] INFO: trying to register non-static key in l2cap_chan_del: https://syzkaller.appspot.com/bug?id=aca31fd1ef0cbf898bd37115e2c4c66fa37f4a20

--
Best regards,
Coiby
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [Linux-kernel-mentees] How does syzkaller manage to create Bluetooth connections in a VM which doesn't have a Bluetooth device

[Dmitry Vyukov via Linux-kernel-mentees]

,On Fri, Sep 4, 2020 at 4:20 PM Coiby Xu <coiby.xu@gmail.com> wrote:
>
> Hi,
>
> I have been trying to fix this issue [1] found by syzbot. I notice the
> extracted syzkaller reproducer could connect to another Bluetooth device
> successfully because l2cap_chan_connect successfully returns.
>
> // net/Bluetooth/l2cap_sock.c
> static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
>                               int alen, int flags)
> {
>         err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
>                                  &la.l2_bdaddr, la.l2_bdaddr_type);
> }
>
> However, if I use syz-prog2c to convert the syzkaller reproducer to a
> C reproducer, the C reproducer could never make a socket connect call
> successfully. So how does syzkaller manage to create Bluetooth connections
> for the sykaller reproducer? I've understood why this issue [1] occurs
> but haven't figured out how it occurs, i.e., what is the subtle race
> condition. So I want to write a C reproducer to experiment on it.
>
> [1] INFO: trying to register non-static key in l2cap_chan_del: https://syzkaller.appspot.com/bug?id=aca31fd1ef0cbf898bd37115e2c4c66fa37f4a20

Hi Coiby,

syzkaller uses /dev/vhci to create a virtual bluetooth device.
There should be a flag for syz-prog2c to include that code into C
reproducers as well.
However note that syzbot did not provide a C reproducer which means
that the crash was somehow not reproducible with a C reproducer (that
includes vhci initialization code and all other relevant code), so
maybe you are seeing the same effect. It would be useful to figure out
why it's not reproducible with a C repro, maybe it's some bug in
syzkaller that can be fixed.
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees