Received: by 2002:a05:7412:98c1:b0:fa:551:50a7 with SMTP id kc1csp1564365rdb; Mon, 8 Jan 2024 03:30:07 -0800 (PST) X-Google-Smtp-Source: AGHT+IGRVUT5HRUzEp6QuQSD/KBZx2AkJpkBjA7lqKFAxGtxOPSlZ4PFLS4tDR2k3TYkwC9S/l7I X-Received: by 2002:a05:6512:1315:b0:50e:7709:9fc2 with SMTP id x21-20020a056512131500b0050e77099fc2mr1589940lfu.78.1704713407638; Mon, 08 Jan 2024 03:30:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704713407; cv=none; d=google.com; s=arc-20160816; b=D3ud80RBHjJ667pQvDHTpw5QSIdG7wmxtimW5+/W0Y6IXUH2tnzEc2NFmY0vezIKFA Sc3W3Udf4t4H207dFlokSq8EkEPXyU9EuB8dpOfkx6Zb/Nuz5PWSa/WRyHAQtOmDI8OO kc9GE/acM3/37gVh4UD7+i4KVd2+wyouxbquOislBv6swsZWkk3/HEK9Bixx+sKp+7qx YGPi2VtLoU5hvvltdG3vbbDiO5w4tjPGmI16U6TmQUepcTiLUhBOMFT4ob1dqHC0hg43 NC025sIaF7ocdAyq1UPNAba5xnHKRYgIOQ7I/tov8QDWBUCLGroyKpPUz/mmHxN5k6Z/ SvhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to:subject :user-agent:mime-version:list-unsubscribe:list-subscribe:list-id :precedence:date:message-id:dkim-signature; bh=+4rCyt0de8rnxrMRRo2pEd/n8irU9T6nN4E08mQWVgM=; fh=0pMbT1/rrfDGLiJbbT35uHt4I2Oz+Uax27b/KfGJZXI=; b=Rqk15kYlMoLhXLQvanLkvInXip/g4k0dOhV7exeJlzWQ0Y6W/e8CSUXX6rD2c6gWIQ bdGjkgfio2ueaRtKdTJN0gh4HxHILkRqGTj4ipLi56IHG2fa7NbGPp4UZ7QhMNNKhbxb rFe2JzpAX0+9Ih/6OqsSjkSTL77dOmTh3LUDzehpTaLTUjy0DvbEfcM1LAwznCXSErJt oXbmc13wXE7/jxvPdLAPvIJ+eDdqah0pwTcEzrE5lUeY99E0eKDPgRShXSWCngtnGUra vSaZeG0ryThssbD6TQpO8K0G//gPLkcsoT6v6nuNtwUz0rsGfz7qLDFJjW9y5ALgQJDc YyFQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@buaa.edu.cn header.s=buaa header.b=otSGCTw2; spf=pass (google.com: domain of linux-bluetooth+bounces-947-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-947-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=buaa.edu.cn Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id v19-20020a509553000000b00553468b1a8dsi3056277eda.664.2024.01.08.03.30.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jan 2024 03:30:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-947-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@buaa.edu.cn header.s=buaa header.b=otSGCTw2; spf=pass (google.com: domain of linux-bluetooth+bounces-947-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-947-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=buaa.edu.cn Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 5F6841F22792 for ; Mon, 8 Jan 2024 11:30:07 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 56B1324A16; Mon, 8 Jan 2024 11:29:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=buaa.edu.cn header.i=@buaa.edu.cn header.b="otSGCTw2" X-Original-To: linux-bluetooth@vger.kernel.org Received: from zg8tmty3ljk5ljewns4xndka.icoremail.net (zg8tmty3ljk5ljewns4xndka.icoremail.net [167.99.105.149]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B8D162CCD5; Mon, 8 Jan 2024 11:29:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=buaa.edu.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=buaa.edu.cn DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=buaa.edu.cn; s=buaa; h=Received:Message-ID:Date:MIME-Version: User-Agent:Subject:To:Cc:References:From:In-Reply-To: Content-Type:Content-Transfer-Encoding; bh=+4rCyt0de8rnxrMRRo2pE d/n8irU9T6nN4E08mQWVgM=; b=otSGCTw22R5VqHz+VRdyWU+3Qil1aeJMW/d5s Wdl9SPUJ0B7B6GU1PW6XpwlLqZNZU3J1O76c//B/Q5r9iZQxguwQGiUgjKTXjNsj FjOd4RYT74IPEp9Zbf8dZhPnVEKnAOLZp204krpy/utT/dD0sru6Lb6GSx5rrghL zg7v+A= Received: from [192.168.1.108] (unknown [10.130.147.18]) by coremail-app1 (Coremail) with SMTP id OCz+CgCXyFpz3JtlRKfJAA--.19759S2; Mon, 08 Jan 2024 19:28:51 +0800 (CST) Message-ID: <6572ae72-0d2e-4c48-9a46-877f46890811@buaa.edu.cn> Date: Mon, 8 Jan 2024 19:28:51 +0800 Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH V3] Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security To: marcel@holtmann.org, johan.hedberg@gmail.com, luiz.dentz@gmail.com, pmenzel@molgen.mpg.de Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, baijiaju1990@gmail.com, sy2239101@buaa.edu.cn References: <20240103090238.3376565-1-20373622@buaa.edu.cn> From: Yuxuan-Hu <20373622@buaa.edu.cn> In-Reply-To: <20240103090238.3376565-1-20373622@buaa.edu.cn> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-CM-TRANSID:OCz+CgCXyFpz3JtlRKfJAA--.19759S2 X-Coremail-Antispam: 1UD129KBjvJXoWxCw1rKr13Aw1xtFW5XF1UZFb_yoW5WFykpF ZFya93Kr1kury5Awn7AF4kZFWrZr1vgr13K395urWUC3s8W3s3KrWSkF1jyayUCFs0k345 ZF10qa9xKrnFv37anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvG1xkIjI8I6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AE w4v_Jr0_Jr4l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2 IY67AKxVW7JVWDJwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxVWxJVW8Jr1l84ACjcxK6I8E 87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_GcCE3s1lnxkEFVAIw20F6c xK64vIFxWle2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2Wl Yx0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbV WUJVW8JwACjcxG0xvEwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lc2xSY4AK6svPMxAI w28IcxkI7VAKI48JMxAIw28IcVCjz48v1sIEY20_Aw1UJr1UMxC20s026xCaFVCjc4AY6r 1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CE b7AF67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0x vE2Ix0cI8IcVCY1x0267AKxVWUJVW8JwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAI cVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVWUJVW8JbIYCTnIWIevJa 73UjIFyTuYvjfUOlksUUUUU X-CM-SenderInfo: ysqtljawssquxxddhvlgxou0/ Dear All: I hope this email finds you well. I hope you haven't missed my previous email, as I understand that everyone has a busy schedule. I just wanted to follow up on my previous message sent. I understand that you may be occupied with other tasks or priorities. However, I would greatly appreciate it if you could spare a few moments to check the patch in my previous email. Your prompt response would be highly valuable to me. Thank you for your attention to this matter, and I look forward to hearing from you soon. On 2024/1/3 17:02, Yuxuan Hu wrote: > During our fuzz testing of the connection and disconnection process at the > RFCOMM layer, we discovered this bug. By comparing the packets from a normal > connection and disconnection process with the testcase that triggered a > KASAN report. We analyzed the cause of this bug as follows: > > 1. In the packets captured during a normal connection, the host sends a > `Read Encryption Key Size` type of `HCI_CMD` packet (Command Opcode: 0x1408) > to the controller to inquire the length of encryption key.After receiving > this packet, the controller immediately replies with a Command Complete > packet (Event Code: 0x0e) to return the Encryption Key Size. > > 2. In our fuzz test case, the timing of the controller's response to this > packet was delayed to an unexpected point: after the RFCOMM and L2CAP > layers had disconnected but before the HCI layer had disconnected. > > 3. After receiving the Encryption Key Size Response at the time described > in point 2, the host still called the rfcomm_check_security function. > However, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;` > had already been released, and when the function executed > `return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`, > specifically when accessing `conn->hcon`, a null-ptr-deref error occurred. > > To fix this bug, check if `sk->sk_state` is BT_CLOSED before calling > rfcomm_recv_frame in rfcomm_process_rx. > > Signed-off-by: Yuxuan Hu <20373622@buaa.edu.cn> > --- > V1 -> V2: Check earlier on rfcomm_process_rx > V2 -> V3: Fixed formatting errors in the commit > > net/bluetooth/rfcomm/core.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c > index 053ef8f25fae..1d34d8497033 100644 > --- a/net/bluetooth/rfcomm/core.c > +++ b/net/bluetooth/rfcomm/core.c > @@ -1941,7 +1941,7 @@ static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s) > /* Get data directly from socket receive queue without copying it. */ > while ((skb = skb_dequeue(&sk->sk_receive_queue))) { > skb_orphan(skb); > - if (!skb_linearize(skb)) { > + if (!skb_linearize(skb) && sk->sk_state != BT_CLOSED) { > s = rfcomm_recv_frame(s, skb); > if (!s) > break;