Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp4497807ybi; Sat, 6 Jul 2019 06:24:40 -0700 (PDT) X-Google-Smtp-Source: APXvYqzk8hslPGlN/P0mcN+AsotXHLKN4llXilmp7+6jqKy+kOeFi+gghSmkNgycDqRR6Mi/6wMH X-Received: by 2002:a17:90a:26a1:: with SMTP id m30mr11930481pje.59.1562419480370; Sat, 06 Jul 2019 06:24:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562419480; cv=none; d=google.com; s=arc-20160816; b=c1qPJXUFadIdrSDLgRmgmYa/hOVQ4guUHaQxdWB9Od4Jf6S860TYUcd2puRNraPV6g Mfso6EUzI7uOrj9HXiLQghjs0cS0zley0w8O6EhwgaugDI9aRgThL5M0WBQpb0CB8nOj YL7CHKswOdyR8kFoVLCh5zG5O0fNgI0Fgt432eHZniwuRVTBTT8ADPQQQ1brf4novUs7 9Z75m1O84gydLBjx4WxvSNd+j/KKb3hGN2zE4Tsu7CLEhFoafUoiHn+4HlN1jf14lgqc 3gRLvxUfA572++M+40QFv5OxSsHrdyJ33lxWILoNGVM1cpUSEjOQPlUVhQMzDps2mJEE bwSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version; bh=iMSaa0qfMJ8AuAuZotW4r+OIBAEi2Vt2GxK1PrmTZ1Y=; b=zcM2ELDObtr1lyztmGBvF555WJ1TgpAVnPMzPxVJPyyAJaNJ4KP9lee14pUi5vtlug 7WCadFxsoj5epjF+Z/XwJ/ZwPxsAIvHr1YsR5PrnXQZ4DxThUucZgop5kmQ2RNr9OH9i kKilEuQIc0J2VEqlx/BHH7apE43MYMB5r9kxz78iQoTYfRAwzcLi6kgd1Yv3/gbslt6s 3WSaD7K96dyxaurSlmcoQqroxBflzTKw9ZF/X+r1MRM84rqoOnDhr5MCFnQc9a4O9PD+ Og9AzftiAUMp/ejQpm+jkAdM15aXK3XjAa+fASTgXfCB7D2wwlxC8sYsyRUZ3bp4pU3f Y55g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a10si12104033pfc.55.2019.07.06.06.24.07; Sat, 06 Jul 2019 06:24:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726199AbfGFNYD convert rfc822-to-8bit (ORCPT + 99 others); Sat, 6 Jul 2019 09:24:03 -0400 Received: from coyote.holtmann.net ([212.227.132.17]:40563 "EHLO mail.holtmann.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726181AbfGFNYD (ORCPT ); Sat, 6 Jul 2019 09:24:03 -0400 Received: from [192.168.0.171] (188.146.228.97.nat.umts.dynamic.t-mobile.pl [188.146.228.97]) by mail.holtmann.org (Postfix) with ESMTPSA id 7799BCF12E; Sat, 6 Jul 2019 15:32:33 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Subject: Re: [PATCH] Bluetooth: Check state in l2cap_disconnect_rsp From: Marcel Holtmann In-Reply-To: <20190521100722.GA15063@makarhum-Latitude-E5440> Date: Sat, 6 Jul 2019 15:24:00 +0200 Cc: Johan Hedberg , linux-bluetooth@vger.kernel.org Content-Transfer-Encoding: 8BIT Message-Id: References: <20190521100722.GA15063@makarhum-Latitude-E5440> To: Matias Karhumaa X-Mailer: Apple Mail (2.3445.104.11) Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Matias, > Because of both sides doing L2CAP disconnection at the same time, it > was possible to receive L2CAP Disconnection Response with CID that was > already freed. That caused problems if CID was already reused and L2CAP > Connection Request with same CID was sent out. Before this patch kernel > deleted channel context regardless of the state of the channel. > > Example where leftover Disconnection Response (frame #402) causes local > device to delete L2CAP channel which was not yet connected. This in > turn confuses remote device's stack because same CID is re-used without > properly disconnecting. > > Btmon capture before patch: > ** snip ** >> ACL Data RX: Handle 43 flags 0x02 dlen 8 #394 [hci1] 10.748949 > Channel: 65 len 4 [PSM 3 mode 0] {chan 2} > RFCOMM: Disconnect (DISC) (0x43) > Address: 0x03 cr 1 dlci 0x00 > Control: 0x53 poll/final 1 > Length: 0 > FCS: 0xfd > < ACL Data TX: Handle 43 flags 0x00 dlen 8 #395 [hci1] 10.749062 > Channel: 65 len 4 [PSM 3 mode 0] {chan 2} > RFCOMM: Unnumbered Ack (UA) (0x63) > Address: 0x03 cr 1 dlci 0x00 > Control: 0x73 poll/final 1 > Length: 0 > FCS: 0xd7 > < ACL Data TX: Handle 43 flags 0x00 dlen 12 #396 [hci1] 10.749073 > L2CAP: Disconnection Request (0x06) ident 17 len 4 > Destination CID: 65 > Source CID: 65 >> HCI Event: Number of Completed Packets (0x13) plen 5 #397 [hci1] 10.752391 > Num handles: 1 > Handle: 43 > Count: 1 >> HCI Event: Number of Completed Packets (0x13) plen 5 #398 [hci1] 10.753394 > Num handles: 1 > Handle: 43 > Count: 1 >> ACL Data RX: Handle 43 flags 0x02 dlen 12 #399 [hci1] 10.756499 > L2CAP: Disconnection Request (0x06) ident 26 len 4 > Destination CID: 65 > Source CID: 65 > < ACL Data TX: Handle 43 flags 0x00 dlen 12 #400 [hci1] 10.756548 > L2CAP: Disconnection Response (0x07) ident 26 len 4 > Destination CID: 65 > Source CID: 65 > < ACL Data TX: Handle 43 flags 0x00 dlen 12 #401 [hci1] 10.757459 > L2CAP: Connection Request (0x02) ident 18 len 4 > PSM: 1 (0x0001) > Source CID: 65 >> ACL Data RX: Handle 43 flags 0x02 dlen 12 #402 [hci1] 10.759148 > L2CAP: Disconnection Response (0x07) ident 17 len 4 > Destination CID: 65 > Source CID: 65 > = bluetoothd: 00:1E:AB:4C:56:54: error updating services: Input/o.. 10.759447 >> HCI Event: Number of Completed Packets (0x13) plen 5 #403 [hci1] 10.759386 > Num handles: 1 > Handle: 43 > Count: 1 >> ACL Data RX: Handle 43 flags 0x02 dlen 12 #404 [hci1] 10.760397 > L2CAP: Connection Request (0x02) ident 27 len 4 > PSM: 3 (0x0003) > Source CID: 65 > < ACL Data TX: Handle 43 flags 0x00 dlen 16 #405 [hci1] 10.760441 > L2CAP: Connection Response (0x03) ident 27 len 8 > Destination CID: 65 > Source CID: 65 > Result: Connection successful (0x0000) > Status: No further information available (0x0000) > < ACL Data TX: Handle 43 flags 0x00 dlen 27 #406 [hci1] 10.760449 > L2CAP: Configure Request (0x04) ident 19 len 19 > Destination CID: 65 > Flags: 0x0000 > Option: Maximum Transmission Unit (0x01) [mandatory] > MTU: 1013 > Option: Retransmission and Flow Control (0x04) [mandatory] > Mode: Basic (0x00) > TX window size: 0 > Max transmit: 0 > Retransmission timeout: 0 > Monitor timeout: 0 > Maximum PDU size: 0 >> HCI Event: Number of Completed Packets (0x13) plen 5 #407 [hci1] 10.761399 > Num handles: 1 > Handle: 43 > Count: 1 >> ACL Data RX: Handle 43 flags 0x02 dlen 16 #408 [hci1] 10.762942 > L2CAP: Connection Response (0x03) ident 18 len 8 > Destination CID: 66 > Source CID: 65 > Result: Connection successful (0x0000) > Status: No further information available (0x0000) > *snip* > > Similar case after the patch: > *snip* >> ACL Data RX: Handle 43 flags 0x02 dlen 8 #22702 [hci0] 1664.411056 > Channel: 65 len 4 [PSM 3 mode 0] {chan 3} > RFCOMM: Disconnect (DISC) (0x43) > Address: 0x03 cr 1 dlci 0x00 > Control: 0x53 poll/final 1 > Length: 0 > FCS: 0xfd > < ACL Data TX: Handle 43 flags 0x00 dlen 8 #22703 [hci0] 1664.411136 > Channel: 65 len 4 [PSM 3 mode 0] {chan 3} > RFCOMM: Unnumbered Ack (UA) (0x63) > Address: 0x03 cr 1 dlci 0x00 > Control: 0x73 poll/final 1 > Length: 0 > FCS: 0xd7 > < ACL Data TX: Handle 43 flags 0x00 dlen 12 #22704 [hci0] 1664.411143 > L2CAP: Disconnection Request (0x06) ident 11 len 4 > Destination CID: 65 > Source CID: 65 >> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22705 [hci0] 1664.414009 > Num handles: 1 > Handle: 43 > Count: 1 >> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22706 [hci0] 1664.415007 > Num handles: 1 > Handle: 43 > Count: 1 >> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22707 [hci0] 1664.418674 > L2CAP: Disconnection Request (0x06) ident 17 len 4 > Destination CID: 65 > Source CID: 65 > < ACL Data TX: Handle 43 flags 0x00 dlen 12 #22708 [hci0] 1664.418762 > L2CAP: Disconnection Response (0x07) ident 17 len 4 > Destination CID: 65 > Source CID: 65 > < ACL Data TX: Handle 43 flags 0x00 dlen 12 #22709 [hci0] 1664.421073 > L2CAP: Connection Request (0x02) ident 12 len 4 > PSM: 1 (0x0001) > Source CID: 65 >> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22710 [hci0] 1664.421371 > L2CAP: Disconnection Response (0x07) ident 11 len 4 > Destination CID: 65 > Source CID: 65 >> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22711 [hci0] 1664.424082 > Num handles: 1 > Handle: 43 > Count: 1 >> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22712 [hci0] 1664.425040 > Num handles: 1 > Handle: 43 > Count: 1 >> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22713 [hci0] 1664.426103 > L2CAP: Connection Request (0x02) ident 18 len 4 > PSM: 3 (0x0003) > Source CID: 65 > < ACL Data TX: Handle 43 flags 0x00 dlen 16 #22714 [hci0] 1664.426186 > L2CAP: Connection Response (0x03) ident 18 len 8 > Destination CID: 66 > Source CID: 65 > Result: Connection successful (0x0000) > Status: No further information available (0x0000) > < ACL Data TX: Handle 43 flags 0x00 dlen 27 #22715 [hci0] 1664.426196 > L2CAP: Configure Request (0x04) ident 13 len 19 > Destination CID: 65 > Flags: 0x0000 > Option: Maximum Transmission Unit (0x01) [mandatory] > MTU: 1013 > Option: Retransmission and Flow Control (0x04) [mandatory] > Mode: Basic (0x00) > TX window size: 0 > Max transmit: 0 > Retransmission timeout: 0 > Monitor timeout: 0 > Maximum PDU size: 0 >> ACL Data RX: Handle 43 flags 0x02 dlen 16 #22716 [hci0] 1664.428804 > L2CAP: Connection Response (0x03) ident 12 len 8 > Destination CID: 66 > Source CID: 65 > Result: Connection successful (0x0000) > Status: No further information available (0x0000) > *snip* > > Fix is to check that channel is in state BT_DISCONN before deleting the > channel. > > This bug was found while fuzzing Bluez's OBEX implementation using > Synopsys Defensics. > > Reported-by: Matti Kamunen > Reported-by: Ari Timonen > Signed-off-by: Matias Karhumaa > --- > net/bluetooth/l2cap_core.c | 6 ++++++ > 1 file changed, 6 insertions(+) patch has been applied to bluetooth-next tree. Regards Marcel