Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3143662pxj;
        Mon, 7 Jun 2021 03:31:17 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwZl9tsV+FlKFJgrogrBGQp42o+5vTuDjiZVwj8ArbRth38E9COpVcCr+pexBXnm8CUulfs
X-Received: by 2002:a05:6402:177a:: with SMTP id da26mr19400630edb.40.1623061877155;
        Mon, 07 Jun 2021 03:31:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1623061877; cv=none;
        d=google.com; s=arc-20160816;
        b=kjPpvbh7BSLkRgy10m6v6yNFPGXDi8OWCx+Iq9z9y/LVWJuugJ9JUSTMqi3Iihnryt
         FiCPG3T1kn7VKH56HFK1GjX0KK1rIkiz3o+4dFkC0TXpffUERYWLwd9IQv7r8NTEnBBO
         /8cbdzC2AiKpYULqYxDFPpojVh6hgitU18fJSeoixjYqX2il5l7ogYaNhHUKVsUHc03i
         KNhBksvp38l09nAn0vw2pMU5VVCUm0icr5KklhNU81hlTZkDNGnhBx+CIc1WMm0Yx81B
         l5jt+ATF8C82jO0vlUiaoDKusTS9A5RDEwlsijfu4iNuPjQR2kKXGOG12oEXVFb+uph9
         H4zg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=ZfkBsIz55tc2TjLqFxmc/bAmxwRHg1Mbcf6YmSgMAxk=;
        b=hXI0ILWzIwMmK8PHGD87Iz/I1bf2MOVY10jQewnRKRnEsYR/ueOrBgIIs6UfA8Yl1E
         XqRm1e0DRLnJiro6hL4M8tB/Fwdr1VruYGVUR8dXfhhjJnp90PNpGnChfqR6ORDWiSBL
         7cDCYz03YLOfnigXiNn5dgRd0YREsVq+WQdokgvSs/pgaCOgBzaVHGi4U6C/3QSIfv35
         Qh8W2fexjNt5dvVNe4efDrv5dcQhGuFQI+pq6pRTAibccsZQTsOGj9j82847WfSLf7Y/
         w8iIqOC++QFYB7jXoSYEooVgbXfnxu6N3Doj/VeCDlpC5+mZbZItCQaNc31jj1dpQkv2
         I6DA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=mCku7nEh;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id v9si12221797ejy.541.2021.06.07.03.30.52;
        Mon, 07 Jun 2021 03:31:17 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=mCku7nEh;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230178AbhFGKbS (ORCPT <rfc822;maitysanchayan@gmail.com>
        + 99 others); Mon, 7 Jun 2021 06:31:18 -0400
Received: from mail-qv1-f52.google.com ([209.85.219.52]:34406 "EHLO
        mail-qv1-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230173AbhFGKbR (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Mon, 7 Jun 2021 06:31:17 -0400
Received: by mail-qv1-f52.google.com with SMTP id hf3so2630844qvb.1
        for <linux-bluetooth@vger.kernel.org>; Mon, 07 Jun 2021 03:29:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=ZfkBsIz55tc2TjLqFxmc/bAmxwRHg1Mbcf6YmSgMAxk=;
        b=mCku7nEhc36iPXmaV5ZpqwDlklutay5KPg6iqsqZxq2CokVccbmE+mUuengvI2Dpsi
         dl1Y91MQ2JtefEGi0EW1mF2TxcfO8A0MFI9Le4owGdL9ocR4It1icWtO/uXO00MUnK4x
         seD41HcQJyxmQVtjryLCfyOGuwvne6gmjvUH16F7f8DjeudkrlCYS9NGryxxJXsfeWjj
         Qs258WegfSalZ30nctr0kz07eIS7+fgayFMx3uZoQQFemq7xk7WUvxpufggYWlJkhWkC
         +qY2ArocvPnjf8rD4IfpXe8vES+5M+eZnJz8p4zQ4rA+wihc3zbxaFvWyrl3czt9UP0Z
         z+QQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=ZfkBsIz55tc2TjLqFxmc/bAmxwRHg1Mbcf6YmSgMAxk=;
        b=oljlWZcxGbCdxUe9cy0AScpHvQvCKDxcfODwAf0b5EGcFrjOFnGtXbRgfM/2OUAX1t
         zVQvo1Aw1HgaiWYlMJCwlGilF6O87tkv90DlVMPsi2iUSVZVCg0fFBX+O2jAiiwE669q
         CDRJ2LKPJ5f6WJZ2XaEyuQfz9zob+OzlTNu2PBn6fvB7UlJIK4WlhvytzJjLjg5ZQB61
         O3UFsfKFWVUSCMuEi9B5U3yCiRpllue0P1zijesdWwnMogB9pJ/JzKVr4kxrX6QPS8yz
         ScT2OJQYy0maJxrdy2rUrRy42Bhn/fHJlZB/77aVoL7HOBtTjrgOiNkUHTjtEmkUxfiS
         WpOw==
X-Gm-Message-State: AOAM530gOrG94PrvPa98/vn18ju+t0vjoFSMcA2EDUqV8cPqjS89GxR7
        NeXsqddknJ673GsAOOgQbYPG775LF74QlcRV/OUwwQ==
X-Received: by 2002:a0c:d610:: with SMTP id c16mr17480702qvj.13.1623061705667;
 Mon, 07 Jun 2021 03:28:25 -0700 (PDT)
MIME-Version: 1.0
References: <000000000000adea7f05abeb19cf@google.com> <2fb47714-551c-f44b-efe2-c6708749d03f@gmail.com>
 <YL3zGGMRwmD7fNK+@zx2c4.com>
In-Reply-To: <YL3zGGMRwmD7fNK+@zx2c4.com>
From:   Dmitry Vyukov <dvyukov@google.com>
Date:   Mon, 7 Jun 2021 12:28:14 +0200
Message-ID: <CACT4Y+bcxROH6+xCpf4fn0dUggEqhrngkmo8-7vrdaJULYhD-w@mail.gmail.com>
Subject: Re: KASAN: use-after-free Read in hci_chan_del
To:     "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc:     SyzScope <syzscope@gmail.com>,
        syzbot <syzbot+305a91e025a73e4fd6ce@syzkaller.appspotmail.com>,
        David Miller <davem@davemloft.net>,
        Johan Hedberg <johan.hedberg@gmail.com>,
        Jakub Kicinski <kuba@kernel.org>,
        linux-bluetooth <linux-bluetooth@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Marcel Holtmann <marcel@holtmann.org>,
        netdev <netdev@vger.kernel.org>,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

On Mon, Jun 7, 2021 at 12:21 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> Hi SyzScope,
>
> On Fri, May 28, 2021 at 02:12:01PM -0700, SyzScope wrote:
>
> > The bug was reported by syzbot first in Aug 2020. Since it remains
> > unpatched to this date, we have conducted some analysis to determine its
> > security impact and root causes, which hopefully can help with the
> > patching decisions.
> > Specifically, we find that even though it is labeled as "UAF read" by
> > syzbot, it can in fact lead to double free and control flow hijacking as
> > well. Here is our analysis below (on this kernel version:
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?id=af5043c89a8ef6b6949a245fff355a552eaed240)
> >
> > ----------------------------- Root cause analysis:
> > --------------------------
> > The use-after-free bug happened because the object has two different
> > references. But when it was freed, only one reference was removed,
> > allowing the other reference to be used incorrectly.
> > [...]
>
> Thank you very much for your detailed analysis. I think this is very
> valuable work, and I appreciate you doing it. I wanted to jump in to
> this thread here so as not to discourage you, following Greg's hasty
> dismissal. The bad arguments made I've seen have been something like:
>
> - Who cares about the impact? Bugs are bugs and these should be fixed
>   regardless. Severity ratings are a waste of time.
> - Spend your time writing patches, not writing tools to discover
>   security issues.
> - This doesn't help my interns.
> - "research project" scare quotes.
>
> I think this entire set of argumentation is entirely bogus, and I really
> hope it doesn't dissuade you from continuing to conduct useful research
> on the kernel.
>
> Specifically, it sounds like your tool is scanning through syzbot
> reports, loading them into a symbolic execution engine, and seeing what
> other primitives you can finesse out of the bugs, all in an automated
> way. So, in the end, a developer gets a report that, rather than just
> saying "4 byte out of bounds read into all zeroed memory so not a big
> deal anyway even if it should be fixed," the developer gets a report
> that says, "4 byte out of bounds read, or a UaF if approached in this
> other way." Knowing that seems like very useful information, not just
> for prioritization, but also for the urgency at which patches might be
> deployed. For example, that's a meaningful distinction were that kind of
> bug found in core networking stack or in wifi or ethernet drivers. I
> also think it's great that you're pushing forward the field of automated
> vulnerability discovery and exploit writing. Over time, hopefully that
> leads to crushing all sorts of classes of bugs. It's also impressive
> that you're able to do so much with kernel code in a symbolic execution
> environment; this sounds a few steps beyond Angr ;-)...
>
> My one suggestion would be that your email alerts / follow-ups to syzbot
> reports, if automated, contain a bit more "dumbed-down" information
> about what's happening. Not all kernel developers speak security, and as
> you've seen, in some places it might be an uphill battle to have your
> contributions taken seriously. On the other hand, it sounds like you
> might already be working with Dmitry to integrate this into the
> syzkaller infrastructure itself, somehow? If so, that'd be great.

We discussed this with authors, but no integration work is happening
right now yet.
Yes, it would be useful for syzbot to do this assessment automatically
for all bugs and, say, tag bugs on the dashboard (less noisy then
sending separate emails). If/when syzbot sends, say, monthly
per-subsystem summary, that priority info could also be included
there.