KASAN: use-after-free Write in hci_sock_bind

Status: fixed on 2020/02/18 14:31
Subsystems: bluetooth
[Documentation on labels]
Fix commit: 11eb85ec42dc Bluetooth: Fix race condition in hci_release_sock()
First crash: 1625d, last: 1590d
Discussions (7)
Title Replies (including bot) Last reply
[PATCH 5.5 00/23] 5.5.2-stable review 31 (31) 2020/02/08 16:13
[PATCH 5.4 00/90] 5.4.18-stable review 107 (107) 2020/02/05 21:21
[PATCH 4.19 00/70] 4.19.102-stable review 77 (77) 2020/02/05 14:42
[PATCH 4.14 00/89] 4.14.170-stable review 93 (93) 2020/02/04 17:19
[PATCH 4.9 00/68] 4.9.213-stable review 72 (72) 2020/02/04 17:18
[PATCH] Bluetooth: Fix race condition in hci_release_sock() 2 (2) 2020/01/26 13:20
KASAN: use-after-free Write in hci_sock_bind 0 (1) 2020/01/15 06:21
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Write in hci_sock_bind (2) bluetooth C done unreliable 26 1301d 1575d 0/27 auto-obsoleted due to no activity on 2023/01/05 15:02
linux-4.19 KASAN: use-after-free Write in hci_sock_bind C done 12 1065d 1625d 1/1 fixed on 2021/08/26 13:35

Sample crash report:
BUG: KASAN: use-after-free in atomic_inc include/asm-generic/atomic-instrumented.h:239 [inline]
BUG: KASAN: use-after-free in hci_sock_bind+0x18a7/0x1b10 net/bluetooth/hci_sock.c:1250
Write of size 4 at addr ffff88804f731078 by task syz-executor.1/17350

CPU: 1 PID: 17350 Comm: syz-executor.1 Not tainted 5.6.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fb/0x318 lib/dump_stack.c:118
 print_address_description+0x74/0x5c0 mm/kasan/report.c:374
 __kasan_report+0x149/0x1c0 mm/kasan/report.c:506
 kasan_report+0x26/0x50 mm/kasan/common.c:641
 check_memory_region_inline mm/kasan/generic.c:182 [inline]
 check_memory_region+0x2b6/0x2f0 mm/kasan/generic.c:192
 __kasan_check_write+0x14/0x20 mm/kasan/common.c:101
 atomic_inc include/asm-generic/atomic-instrumented.h:239 [inline]
 hci_sock_bind+0x18a7/0x1b10 net/bluetooth/hci_sock.c:1250
 __sys_bind+0x2bd/0x3a0 net/socket.c:1662
 __do_sys_bind net/socket.c:1673 [inline]
 __se_sys_bind net/socket.c:1671 [inline]
 __x64_sys_bind+0x7a/0x90 net/socket.c:1671
 do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294
RIP: 0033:0x45c6c9
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f781ec13c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00007f781ec146d4 RCX: 000000000045c6c9
RDX: 0000000000000006 RSI: 00000000200007c0 RDI: 000000000000000a
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000002c R14: 00000000004c2b7c R15: 000000000076bf2c

Allocated by task 17346:
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
 kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3551
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 hci_alloc_dev+0x50/0x1700 net/bluetooth/hci_core.c:3249
 __vhci_create_device drivers/bluetooth/hci_vhci.c:99 [inline]
 vhci_create_device+0x120/0x530 drivers/bluetooth/hci_vhci.c:148
 vhci_get_user drivers/bluetooth/hci_vhci.c:205 [inline]
 vhci_write+0x3ae/0x440 drivers/bluetooth/hci_vhci.c:285
 call_write_iter include/linux/fs.h:1901 [inline]
 new_sync_write fs/read_write.c:483 [inline]
 __vfs_write+0x5a1/0x740 fs/read_write.c:496
 vfs_write+0x270/0x580 fs/read_write.c:558
 ksys_write+0x117/0x220 fs/read_write.c:611
 __do_sys_write fs/read_write.c:623 [inline]
 __se_sys_write fs/read_write.c:620 [inline]
 __x64_sys_write+0x7b/0x90 fs/read_write.c:620
 do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294

Freed by task 17345:
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x10d/0x220 mm/slab.c:3757
 bt_host_release+0x1c/0x30 net/bluetooth/hci_sysfs.c:86
 device_release+0x74/0x1a0 drivers/base/core.c:1354
 kobject_cleanup lib/kobject.c:693 [inline]
 kobject_release lib/kobject.c:722 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1fa/0x2a0 lib/kobject.c:739
 put_device+0x1f/0x30 drivers/base/core.c:2586
 hci_free_dev+0x1c/0x20 net/bluetooth/hci_core.c:3345
 vhci_release+0x7f/0xc0 drivers/bluetooth/hci_vhci.c:341
 __fput+0x2e4/0x740 fs/file_table.c:280
 ____fput+0x15/0x20 fs/file_table.c:313
 task_work_run+0x176/0x1b0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop arch/x86/entry/common.c:164 [inline]
 prepare_exit_to_usermode+0x480/0x5b0 arch/x86/entry/common.c:195
 syscall_return_slowpath+0x113/0x4a0 arch/x86/entry/common.c:278
 do_syscall_64+0x11f/0x1c0 arch/x86/entry/common.c:304

The buggy address belongs to the object at ffff88804f730000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4216 bytes inside of
 8192-byte region [ffff88804f730000, ffff88804f732000)
The buggy address belongs to the page:
page:ffffea00013dcc00 refcount:1 mapcount:0 mapping:ffff8880aa4021c0 index:0x0 compound_mapcount: 0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea0001330e08 ffffea0001429608 ffff8880aa4021c0
raw: 0000000000000000 ffff88804f730000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88804f730f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88804f730f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88804f731000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88804f731080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88804f731100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/02/16 13:59 upstream db70e26e33ee cf914200 .config console log report ci-upstream-kasan-gce-smack-root
2020/02/15 11:28 linux-next 9f01828e9e16 5d7b90f1 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/02/10 12:21 linux-next 2981de746b18 35f5e45e .config console log report ci-upstream-linux-next-kasan-gce-root
2020/01/11 23:37 linux-next 6c09d7dbb7d3 4c04afaa .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.