This can cause a race with bt_sock_ioctl() because
bt_sock_recvmsg() gets the skb from sk->sk_receive_queue
and then frees it without holding lock_sock.
A use-after-free for a skb occurs with the following flow.
```
bt_sock_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
bt_sock_ioctl() -> skb_peek()
```
Add lock_sock to bt_sock_recvmsg() to fix this issue.
Signed-off-by: Hyunwoo Kim <[email protected]>
---
net/bluetooth/af_bluetooth.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index 336a76165454..9def13ac816e 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -309,11 +309,16 @@ int bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
if (flags & MSG_OOB)
return -EOPNOTSUPP;
+ lock_sock(sk);
+
skb = skb_recv_datagram(sk, flags, &err);
if (!skb) {
- if (sk->sk_shutdown & RCV_SHUTDOWN)
+ if (sk->sk_shutdown & RCV_SHUTDOWN) {
+ release_sock(sk);
return 0;
+ }
+ release_sock(sk);
return err;
}
@@ -343,6 +348,8 @@ int bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
skb_free_datagram(sk, skb);
+ release_sock(sk);
+
if (flags & MSG_TRUNC)
copied = skblen;
--
2.25.1
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=806468
---Test result---
Test Summary:
CheckPatch PASS 0.48 seconds
GitLint PASS 0.22 seconds
SubjectPrefix PASS 0.07 seconds
BuildKernel PASS 28.01 seconds
CheckAllWarning PASS 31.13 seconds
CheckSparse WARNING 36.27 seconds
CheckSmatch PASS 100.31 seconds
BuildKernel32 PASS 27.37 seconds
TestRunnerSetup PASS 423.62 seconds
TestRunner_l2cap-tester PASS 23.57 seconds
TestRunner_iso-tester PASS 46.96 seconds
TestRunner_bnep-tester PASS 6.88 seconds
TestRunner_mgmt-tester PASS 164.14 seconds
TestRunner_rfcomm-tester PASS 11.08 seconds
TestRunner_sco-tester PASS 14.63 seconds
TestRunner_ioctl-tester PASS 12.31 seconds
TestRunner_mesh-tester PASS 9.04 seconds
TestRunner_smp-tester PASS 10.05 seconds
TestRunner_userchan-tester PASS 7.49 seconds
IncrementalBuild PASS 26.74 seconds
Details
##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/af_bluetooth.c:223:25: warning: context imbalance in 'bt_accept_enqueue' - different lock contexts for basic block
---
Regards,
Linux Bluetooth
Hi Kim,
On Mon, Dec 4, 2023 at 2:02 AM Hyunwoo Kim <[email protected]> wrote:
>
> This can cause a race with bt_sock_ioctl() because
> bt_sock_recvmsg() gets the skb from sk->sk_receive_queue
> and then frees it without holding lock_sock.
> A use-after-free for a skb occurs with the following flow.
> ```
> bt_sock_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
> bt_sock_ioctl() -> skb_peek()
> ```
> Add lock_sock to bt_sock_recvmsg() to fix this issue.
>
> Signed-off-by: Hyunwoo Kim <[email protected]>
> ---
> net/bluetooth/af_bluetooth.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
> index 336a76165454..9def13ac816e 100644
> --- a/net/bluetooth/af_bluetooth.c
> +++ b/net/bluetooth/af_bluetooth.c
> @@ -309,11 +309,16 @@ int bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
> if (flags & MSG_OOB)
> return -EOPNOTSUPP;
>
> + lock_sock(sk);
> +
> skb = skb_recv_datagram(sk, flags, &err);
> if (!skb) {
> - if (sk->sk_shutdown & RCV_SHUTDOWN)
> + if (sk->sk_shutdown & RCV_SHUTDOWN) {
> + release_sock(sk);
We could just reset the with err = 0 then we don't need to duplicate
the release_sock line.
> return 0;
> + }
>
> + release_sock(sk);
> return err;
> }
>
> @@ -343,6 +348,8 @@ int bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
>
> skb_free_datagram(sk, skb);
>
> + release_sock(sk);
> +
> if (flags & MSG_TRUNC)
> copied = skblen;
>
> --
> 2.25.1
>
--
Luiz Augusto von Dentz