syzbot


KASAN: use-after-free Read in sco_chan_del

Status: fixed on 2021/01/06 10:07
Reported-by: syzbot+1c98095bbb6f3a9d7cc7@syzkaller.appspotmail.com
Fix commit: 4113f6f73f6e Bluetooth: Fix null pointer dereference in hci_event_packet()
First crash: 1571d, last: 1445d
Fix bisection: fixed by (bisect log) :
commit 4113f6f73f6e8d215609bde8c0c14ca9f8a476c5
Author: Anmol Karn <anmol.karan123@gmail.com>
Date: Wed Sep 30 14:18:13 2020 +0000

  Bluetooth: Fix null pointer dereference in hci_event_packet()

  
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in sco_chan_del bluetooth 1 1506d 1502d 0/28 auto-closed as invalid on 2020/12/18 15:57
Fix bisection attempts (5)
Created Duration User Patch Repo Result
2021/01/05 23:15 3h18m bisect fix linux-4.14.y OK (1) job log
2020/12/06 21:45 25m bisect fix linux-4.14.y OK (0) job log log
2020/11/06 19:56 23m bisect fix linux-4.14.y OK (0) job log log
2020/10/07 19:20 26m bisect fix linux-4.14.y OK (0) job log log
2020/09/07 18:22 29m bisect fix linux-4.14.y OK (0) job log log

Sample crash report:
Bluetooth: hci5 command 0x0409 tx timeout
Bluetooth: hci0 command 0x041b tx timeout
Bluetooth: hci1 command 0x041b tx timeout
Bluetooth: hci2 command 0x041b tx timeout
==================================================================
BUG: KASAN: use-after-free in hci_conn_drop include/net/bluetooth/hci_core.h:963 [inline]
BUG: KASAN: use-after-free in sco_chan_del+0x3b2/0x3d0 net/bluetooth/sco.c:148
Read of size 1 at addr ffff88808d1bccb5 by task syz-executor950/7706

CPU: 1 PID: 7706 Comm: syz-executor950 Not tainted 4.14.193-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x283 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load1_noabort+0x68/0x70 mm/kasan/report.c:427
 hci_conn_drop include/net/bluetooth/hci_core.h:963 [inline]
 sco_chan_del+0x3b2/0x3d0 net/bluetooth/sco.c:148
 __sco_sock_close+0xb0/0x670 net/bluetooth/sco.c:433
 sco_sock_close net/bluetooth/sco.c:447 [inline]
 sco_sock_release+0x6a/0x370 net/bluetooth/sco.c:1009
 __sock_release+0xcd/0x2b0 net/socket.c:602
 sock_close+0x15/0x20 net/socket.c:1139
 __fput+0x25f/0x7a0 fs/file_table.c:210
 task_work_run+0x11f/0x190 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xa08/0x27f0 kernel/exit.c:865
 do_group_exit+0x100/0x2e0 kernel/exit.c:962
 get_signal+0x38d/0x1ca0 kernel/signal.c:2423
 do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:814
 exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x44a589
RSP: 002b:00007ffc8f56c528 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: fffffffffffffffc RBX: 0000000000000003 RCX: 000000000044a589
RDX: 0000000000000008 RSI: 00000000200000c0 RDI: 0000000000000004
RBP: 0000000000000003 R08: 0000000000000002 R09: 0000000000000003
R10: 0000000000000004 R11: 0000000000000246 R12: 00000000006dfdc8
ODEBUG: assert_init not available (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x90 kernel/workqueue.c:3144
R13: 00000000006e0440 R14: 0000000000000000 R15: 0000000000000000

------------[ cut here ]------------
Allocated by task 7706:
WARNING: CPU: 0 PID: 7728 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb lib/debugobjects.c:287
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551

Crashes (10):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/08/08 08:36 linux-4.14.y 14b58326976d ff51e522 .config console log report syz C ci2-linux-4-14
2020/08/08 07:05 linux-4.14.y 14b58326976d ff51e522 .config console log report syz C ci2-linux-4-14
2020/08/07 13:12 linux-4.14.y 14b58326976d 28ac5c9e .config console log report syz C ci2-linux-4-14
2020/08/07 12:42 linux-4.14.y 14b58326976d 28ac5c9e .config console log report syz C ci2-linux-4-14
2020/08/06 18:02 linux-4.14.y ca4f2c56d416 4ca1c0ea .config console log report syz C ci2-linux-4-14
2020/08/06 16:58 linux-4.14.y ca4f2c56d416 4ca1c0ea .config console log report syz C ci2-linux-4-14
2020/08/06 03:41 linux-4.14.y ca4f2c56d416 0487ea6f .config console log report syz C ci2-linux-4-14
2020/08/05 19:33 linux-4.14.y ca4f2c56d416 b7129355 .config console log report syz C ci2-linux-4-14
2020/08/05 17:32 linux-4.14.y ca4f2c56d416 b7129355 .config console log report syz C ci2-linux-4-14
2020/08/03 13:09 linux-4.14.y 7f2c5eb458b8 96dd3623 .config console log report syz C ci2-linux-4-14
* Struck through repros no longer work on HEAD.