We are working on fuzzing testing the target protocol security.
While fuzzing the BlueTooth L2CAP signal request we found that the
target system will freeze and the process 'bluetoothd' CPU usage
becomes fully used. No other process can run anymore. This bug can not
be reproduced by the same set of command sequences. So we can not
locate the problem in the code. But to reproduce the error we can do
the loop:
1. build a normal L2CAP socket connection.
2. send set of command to reach the specific state
'02:06:04:00:01:00:40:00','04:07:13:00:40:00:00:00:01:03:f5:03:04:09:8e:00:00:00:00:00:00:00:00','04:07:13:00:40:00:00:00:01:02:9d:03:04:09:ef:00:00:00:00:00:00:00:00'
3. Randomly fills the value into the options field of the CONFIG
request. And send the CONFIG request to the target.
4. Shut down the HCI connection directly.
5. go to step1 and do everything again.
This is not the only way to crash the target but fuzzing on other
states may take a longer time to crash the target. We send each
command every 0.7 seconds, and usually, the target will crash in half
an hour.
We tested this bug on 4.14, 4.15, and 5.43 three different kernels of
Linux. They all have the same problem.
We post the dmsg before it crash here:
[174611.980681] Modules linked in: rfcomm cmac xt_CHECKSUM
iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat
nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack
nf_conntrack libcrc32c ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp
llc pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE)
ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter
devlink ccm bnep intel_rapl uvcvideo x86_pkg_temp_thermal
intel_powerclamp videobuf2_vmalloc videobuf2_memops videobuf2_v4l2
videobuf2_core coretemp videodev crct10dif_pclmul crc32_pclmul
snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic media
ghash_clmulni_intel snd_hda_intel snd_hda_codec rtsx_usb_ms memstick
snd_hda_core pcbc arc4 btusb snd_hwdep btrtl btbcm btintel aesni_intel
snd_pcm iwlmvm bluetooth
[174611.980707] ecdh_generic aes_x86_64 mac80211 snd_seq_midi
snd_seq_midi_event dell_laptop dell_smm_hwmon crypto_simd glue_helper
snd_rawmidi iwlwifi cfg80211 snd_seq snd_seq_device cryptd
intel_cstate intel_rapl_perf joydev dell_wmi sparse_keymap input_leds
snd_timer serio_raw snd mei_me shpchp dell_smbios dcdbas
dell_wmi_descriptor wmi_bmof mei dell_rbtn soundcore lpc_ich acpi_pad
mac_hid kvm_intel binfmt_misc kvm irqbypass sch_fq_codel parport_pc
ppdev lp parport ip_tables x_tables autofs4 rtsx_usb_sdmmc rtsx_usb
i915 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt
ahci psmouse libahci fb_sys_fops r8169 drm mii wmi video i2c_hid hid
[174611.980735] CPU: 0 PID: 916 Comm: bluetoothd Tainted: G W
OE 4.15.0-72-generic #81-Ubuntu
[174611.980736] Hardware name: Dell Inc. Inspiron 5558/0V7MX2, BIOS
A02 03/09/2015
[174611.980743] RIP: 0010:bt_sock_poll+0x17a/0x1d0 [bluetooth]
[174611.980744] RSP: 0018:ffffb6ea41293a88 EFLAGS: 00010246
[174611.980746] RAX: fffffffffffffd38 RBX: ffff8c0c53bf0000 RCX:
0000000000000000
[174611.980747] RDX: 0000000000000000 RSI: ffff8c0c21941800 RDI:
0000000000000000
[174611.980748] RBP: ffffb6ea41293aa0 R08: ffff8c0c4b771d00 R09:
0000000000000466
[174611.980749] R10: 0000000000000000 R11: 00017c4f569e4e50 R12:
ffffb6ea41293c30
[174611.980749] R13: ffff8c0c4b771d00 R14: 0000000000000000 R15:
ffff8c0c4b771d00
[174611.980751] FS: 00007fafd6a797c0(0000) GS:ffff8c0c5f400000(0000)
knlGS:0000000000000000
[174611.980752] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[174611.980753] CR2: 0000000000000000 CR3: 0000000190dac004 CR4:
00000000003606f0
[174611.980754] Call Trace:
[174611.980758] sock_poll+0x74/0x90
[174611.980761] do_sys_poll+0x26f/0x580
[174611.980764] ? __wake_up_sync_key+0x1e/0x30
[174611.980766] ? sock_def_readable+0x40/0x70
[174611.980768] ? compat_poll_select_copy_remaining+0x130/0x130
[174611.980769] ? compat_poll_select_copy_remaining+0x130/0x130
[174611.980771] ? compat_poll_select_copy_remaining+0x130/0x130
[174611.980772] ? compat_poll_select_copy_remaining+0x130/0x130
[174611.980774] ? compat_poll_select_copy_remaining+0x130/0x130
[174611.980775] ? compat_poll_select_copy_remaining+0x130/0x130
[174611.980777] ? compat_poll_select_copy_remaining+0x130/0x130
[174611.980778] ? compat_poll_select_copy_remaining+0x130/0x130
[174611.980779] ? compat_poll_select_copy_remaining+0x130/0x130
[174611.980781] SyS_poll+0x30/0x130
[174611.980782] ? SyS_poll+0x30/0x130
[174611.980785] do_syscall_64+0x73/0x130
[174611.980787] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[174611.980789] RIP: 0033:0x7fafd5c27bc4
[174611.980789] RSP: 002b:00007ffe26f7aac8 EFLAGS: 00000246 ORIG_RAX:
0000000000000007
[174611.980791] RAX: ffffffffffffffda RBX: 000056363ed5bc90 RCX:
00007fafd5c27bc4
[174611.980792] RDX: 00000000ffffffff RSI: 000000000000001b RDI:
000056363ed77000
[174611.980793] RBP: 000000000000001b R08: 000000000000001b R09:
000056363ed78f10
[174611.980794] R10: 000056363ed5c8e0 R11: 0000000000000246 R12:
000056363ed77000
[174611.980794] R13: 00000000ffffffff R14: 00007fafd65b8f70 R15:
000000000000001b
[174611.980796] Code: 80 fa 01 75 11 eb 5e 0f b6 48 12 48 89 c6 48 89
d0 80 f9 01 74 4f 48 8b 93 e0 02 00 00 83 e2 01 74 09 0f b6 56 12 80
fa 06 74 3a <48> 8b b8 c8 02 00 00 48 39 c3 48 8d 97 38 fd ff ff 75 c9
5b 31
[174611.980822] RIP: bt_sock_poll+0x17a/0x1d0 [bluetooth] RSP: ffffb6ea41293a88
[174611.980823] CR2: 0000000000000000
Hope someone can figure it out.
Thanks,
Zhan