Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp775827pxb; Wed, 27 Jan 2021 22:56:56 -0800 (PST) X-Google-Smtp-Source: ABdhPJw5uFR5ENswq66guV/V74zAqLem4G3NufoiAqCHCHCqfUslPm/RJvaDR4zniFXFAXU74Elu X-Received: by 2002:a17:906:3fc4:: with SMTP id k4mr9407036ejj.137.1611817016321; Wed, 27 Jan 2021 22:56:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611817016; cv=none; d=google.com; s=arc-20160816; b=xUwyocByw3wBpjd3bNyO70lk/NMGI3DV7aVzOoB2fMXxXgPX9QGC5OowoBRHPFxxCM bGIzd7uiFeBCg3jOQQ4xAwJnjWr6menjOyQJtv+u5K6XU9GhJzszEoZyCvmi6F58MG9c /kanwXy1kocJGCjM1Penc7eYPqRO2ztFUlG+tvNFlUhKbLnuyKfzoF4urJ4GVsI+LSKb LSCZbJAKbLPWsW49/R7T2b0JNKEtstGhcQhDii3pLRCvimK7ryVra+9SLlGCu3SfqPbF NUS1Sl6Gs9v1+Z0Ykwc+BtHf2SEttmUQak7lpY8rrKKLVoMq4GLdeLZazEaikGI3Ab9A 05lA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=3S+nmWZyAGdBBeh93o5nXd2a7/HF9g2hu7DFy8+sdAw=; b=ehyT25K8rFrLVcgFsmQNQkGELeHJZRcM21cQcvW+QrI02cqeKg+sqs48lcqHNmw6+d /0amH4qRXEsGL4m2D0iyJaPkslx9ft83R6s+J8ruwDewh2FTr50sKfzpj4oGFNABMlr9 14ll9PXC4+zVXDf8dUHCX6F+VXzt1ScXV9ziXT0wHCxnNcwnYYyIN+DnatmVqz2+pX1k orrNPRYgboaHU4VijCifuu7V7ZjJdVHG/4NGyS+9aZofvFSnzZ0WpURQAk8QWhhNRIiC ncfQHTfOCwObmAzJvShEBOAy7DNGfgZztIS2YEclMRDoFJhViJb7tLDGFfPH7HOgJnhc vyzA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=j0moPGVT; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id jg4si2021710ejc.313.2021.01.27.22.56.20; Wed, 27 Jan 2021 22:56:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=j0moPGVT; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231126AbhA1Gyy (ORCPT + 99 others); Thu, 28 Jan 2021 01:54:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58396 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229834AbhA1Gyw (ORCPT ); Thu, 28 Jan 2021 01:54:52 -0500 Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9538DC061573 for ; Wed, 27 Jan 2021 22:54:12 -0800 (PST) Received: by mail-ot1-x32a.google.com with SMTP id d7so4259425otf.3 for ; Wed, 27 Jan 2021 22:54:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3S+nmWZyAGdBBeh93o5nXd2a7/HF9g2hu7DFy8+sdAw=; b=j0moPGVTlB9CPilP5BMO4AODBKFbecsvX8gcmg50YLgGw6nrfuMT7xqdtVnz/PCMXz Q4iUi45+yJbpmT1xpa4Fntq3qoAULLf6BXG8smHAm8ExsFOn2smK7TSJd9GUQ8DHuOHY QHDdZgXvsPXDFq2AIBYlx/dACxAxj9RljTYOt9Dr5VFjAFq5ydPZW/PZmWLILf2fQgOp ghcB25YQzMzegZKvkjI5neiTU378UUBtuuRUMxCyRetk568ygJ9162UU60s17uGDYBN9 wjvEM6+m47NJBPZzFecRBaQa4MfPFSUwqt3JXY+XrV9J1bwmckitvG3V/kzKJSnZ4F9S vXqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3S+nmWZyAGdBBeh93o5nXd2a7/HF9g2hu7DFy8+sdAw=; b=LD62/b1pyl9UycdRuS1QDIhwbWCKhz/k9Q1Ej98UgIrzZbqVQPHLyMf4+JYhaqMZE/ PnOTpQmgpDGyi0BfwQa64NcLYbLP5TJHGsson2QxPkmvNznGxDV8E3nAjhjyaYhj1n28 rQm7mDsBdajb7AaoOCBxpI+WZu4q2kzBbVHmaWxrlHMEbWT/x9YAoLdkRF6F8H/kkJYh zYDvv/mZioKrpsnDm34s08ADVqz9PEOPJkYaMKMaApKtDttypx329nbfS5L4c7ae3aSG xSXlzI0AiH2585YHr31rl0UW0jLjCxSmHcwutzMFYuACkmLFRnziuD+Vt4d+07RpaN7s Iy0g== X-Gm-Message-State: AOAM533zwczU53evGBPNl5WU0g28l+bxfbbGRca+lSPnA0LlCCC9JFTL fkgkufYWAZmMgdbK20QfptSXf4St/+QA6VKHfw7dGAJTbZZlXA== X-Received: by 2002:a9d:2035:: with SMTP id n50mr10019689ota.44.1611816851972; Wed, 27 Jan 2021 22:54:11 -0800 (PST) MIME-Version: 1.0 References: <20210128063901.1362-1-sonnysasaka@chromium.org> In-Reply-To: <20210128063901.1362-1-sonnysasaka@chromium.org> From: Luiz Augusto von Dentz Date: Wed, 27 Jan 2021 22:54:01 -0800 Message-ID: Subject: Re: [PATCH BlueZ v2] input/hog: Fix crashes of UAF of hog->attr To: Sonny Sasaka Cc: "linux-bluetooth@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Sonny, On Wed, Jan 27, 2021 at 10:43 PM Sonny Sasaka wrote: > > hog->attr does not own pointer, so it may be invalid when hog object > gets re-attached at bt_hog_attach(). To solve this, this patch > intentionally clears hog->attr at bt_hog_detach() to mark it as invalid > so that it can be repopulated with the valid pointer at bt_hog_attach(). > The same applies to all sub-instances. > > Sample stack trace: > * thread #1, stop reason = signal SIGSEGV > * frame #0: 0x05ad49f2 bluetoothd` at gatt-db.c:1428 > frame #1: 0x05a91922 bluetoothd`bt_hog_attach at hog-lib.c:1694 > frame #2: 0x05a9160e bluetoothd`hog_accept at hog.c:212 > frame #3: 0x05ab4784 bluetoothd`service_accept at service.c:203 > frame #4: 0x05aba1e6 bluetoothd`device_attach_att at device.c:4542 > frame #5: 0x05a9c4a2 bluetoothd`connect_cb at gatt-database.c:656 > frame #6: 0x05a98e8c bluetoothd`server_cb at btio.c:264 > frame #7: 0xec8e6a1a libglib-2.0.so.0`g_main_context_dispatch at gmain.c:3325 > frame #8: 0xec8e6c58 libglib-2.0.so.0`g_main_context_iterate at gmain.c:4119 > frame #9: 0xec8e6e52 libglib-2.0.so.0`g_main_loop_run at gmain.c:4317 > frame #10: 0x05ad582e bluetoothd`mainloop_run at mainloop-glib.c:79 > frame #11: 0x05ad5a64 bluetoothd`mainloop_run_with_signal at mainloop-notify.c:201 > frame #12: 0x05ac35ac bluetoothd`main at main.c:1103 > frame #13: 0xec6ed0a2 libc.so.6`__libc_start_main at libc-start.c:308 > > --- > profiles/input/hog-lib.c | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > > diff --git a/profiles/input/hog-lib.c b/profiles/input/hog-lib.c > index 1f132aa4c..711bda73c 100644 > --- a/profiles/input/hog-lib.c > +++ b/profiles/input/hog-lib.c > @@ -1651,12 +1651,19 @@ static void primary_cb(uint8_t status, GSList *services, void *user_data) > bool bt_hog_attach(struct bt_hog *hog, void *gatt) > { > GSList *l; > + bt_uuid_t uuid; > > if (hog->attrib) > return false; > > hog->attrib = g_attrib_ref(gatt); > > + if (!hog->attr && hog->gatt_db) { > + bt_uuid16_create(&uuid, HOG_UUID16); > + gatt_db_foreach_service(hog->gatt_db, &uuid, > + foreach_hog_service, hog); > + } > + > if (!hog->attr && !hog->primary) { > discover_primary(hog, hog->attrib, NULL, primary_cb, hog); > return true; > @@ -1744,6 +1751,15 @@ void bt_hog_detach(struct bt_hog *hog) > bt_hog_detach(instance); > } > > + /* hog->attr doesn't own pointer, so it may be invalid when this hog > + * object gets re-attached with bt_hog_attach(). So intentionally mark > + * it as invalid and remove all instances so that the instances can be > + * re-attached at bt_hog_attach(). > + */ > + hog->attr = NULL; > + g_slist_free_full(hog->instances, hog_free); > + hog->instances = NULL; We can actually what watches instead of cleanup always like this, see: https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/src/shared/gatt-db.h#n275 > + > for (l = hog->reports; l; l = l->next) { > struct report *r = l->data; > > -- > 2.29.2 > -- Luiz Augusto von Dentz