Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp826060pxb; Thu, 2 Sep 2021 16:27:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzpulZXWgP1WSL+Fnyg4EKi0dcNd/gVGFKwlKJR/WEXvz+0wr2M9LHRwVIpz4z/MLQY3BTR X-Received: by 2002:a92:cb04:: with SMTP id s4mr481647ilo.130.1630625223224; Thu, 02 Sep 2021 16:27:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630625223; cv=none; d=google.com; s=arc-20160816; b=IxLkpdh4xQEPtnfASt+NrloyvNIi7DPK7dU2hjl5Uji+a4MApkfIiEB8y1MGeozJfd n3gLJRBstJYoSmlj995DCIkRJbdsvF4OAdsZRuy3RlUGUohoDk+ObrzHyY8cXlY26stU RlWITBHreX3rEZ2q/HmUCwsloSGkg/ZbDDFo+yZY+RmhhQ/XODbyv8Jv6iO6KeE5v7mZ xfqAV/qhKr9rioo3PYMfqFp4XznWmqa5t7Zu8MXUgWd9AraywlIhPaTW5+GExTlvmJUm 9wJVinQwQIyikn0GlAbyqogkHDS9jDJi1Oylsk7jgK+g6BHhnNnKj79xMQbjoF/MDYM0 51Mw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :to:subject; bh=IL7s+DqS8vAfp4stpwwtHgKLG/N8H2ny7nk/xMzXJzg=; b=DqAwBS0enPbFGuKF4ohsXICHfPCmc8aPruJ222GuJlLswqSil6VbbZHWIobzfGjA+8 IE0ln3uHkSzO+ae2C/l3ZaxozLvOOuyS9KFy0kG1OXrdZABPI0AhAKZyiWkDqJr8Ha+o F/do4F0ACuhl5U1lqWzhrppzEPBhFZQO/cIJDeJZgbuRFs4wYDCP9DXf94GFeE68s63a TgNHCf3y/NjZooS9VOBY9gJrg6QvMUR8hGtBLseaYGH0LzK03QwKibIjoSjYDrt1R7h/ z875ghdV7Uj8ij5VUZP2Jp1cek0FZ5TBIaxt0zN9rHEQXa9gEq5GR9+jVw2rAuJ+EPYf 6otQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q2si3202088jac.2.2021.09.02.16.26.50; Thu, 02 Sep 2021 16:27:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345805AbhIBPd5 (ORCPT + 99 others); Thu, 2 Sep 2021 11:33:57 -0400 Received: from www262.sakura.ne.jp ([202.181.97.72]:50741 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345811AbhIBPd4 (ORCPT ); Thu, 2 Sep 2021 11:33:56 -0400 Received: from fsav117.sakura.ne.jp (fsav117.sakura.ne.jp [27.133.134.244]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 182FWpif084576; Fri, 3 Sep 2021 00:32:51 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav117.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav117.sakura.ne.jp); Fri, 03 Sep 2021 00:32:51 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav117.sakura.ne.jp) Received: from [192.168.1.9] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 182FWoM0084564 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Fri, 3 Sep 2021 00:32:50 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Subject: Re: Help needed in patching CVE-2021-3640 To: LinMa , linux-bluetooth@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz References: <15f5a46.b79d9.17ba6802ccd.Coremail.linma@zju.edu.cn> From: Tetsuo Handa Message-ID: Date: Fri, 3 Sep 2021 00:32:49 +0900 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: <15f5a46.b79d9.17ba6802ccd.Coremail.linma@zju.edu.cn> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org On 2021/09/02 21:33, LinMa wrote: > Hello there, > > There is one bug (CVE-2021-3640: https://www.openwall.com/lists/oss-security/2021/07/22/1) that is similar to the recently fixed CVE-2021-3573. > > The key point here is that the sco_conn_del() function can be called when syscalls like sco_sendmsg() is undergoing. Since hdev->lock is held when sco_conn_del() is called, 3 locks held by poc/6686: #0: ffff8880158690e0 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x44/0x6a0 [bluetooth] #1: ffff888015868080 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_do_close+0x1ac/0x6a0 [bluetooth] #2: ffffffffa0630030 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0x6f/0x140 [bluetooth] I guess that holding hdev->lock when sco_send_frame() is called would avoid use-after-free. diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index d9a4e88dacbb..f5339bfba4a5 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -727,10 +727,17 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg, lock_sock(sk); - if (sk->sk_state == BT_CONNECTED) - err = sco_send_frame(sk, msg, len); - else - err = -ENOTCONN; + err = -ENOTCONN; + if (sk->sk_state == BT_CONNECTED) { + struct hci_dev *hdev = hci_get_route(&sco_pi(sk)->dst, &sco_pi(sk)->src, BDADDR_BREDR); + + if (hdev) { + hci_dev_lock(hdev); + err = sco_send_frame(sk, msg, len); + hci_dev_unlock(hdev); + hci_dev_put(hdev); + } + } release_sock(sk); return err; But I'm not happy with calling hci_get_route() every time. Can we cache the hdev found upon sco_connect() ?