syzbot


KASAN: use-after-free Read in hci_send_acl

Status: fixed on 2021/11/10 00:50
Subsystems: bluetooth
[Documentation on labels]
Reported-by: syzbot+98228e7407314d2d4ba2@syzkaller.appspotmail.com
Fix commit: 5c4c8c954409 Bluetooth: verify AMP hci_chan before amp_destroy
First crash: 1571d, last: 1361d
Cause bisection: introduced by (bisect log) :
commit 4ffcd582301bd020b1f9d00c55473af305ec19b5
Author: Michael Chan <michael.chan@broadcom.com>
Date: Mon Sep 19 07:58:07 2016 +0000

  bnxt_en: Pad TX packets below 52 bytes.

Crash: KASAN: use-after-free Read in batadv_iv_ogm_queue_add (log)
Repro: C syz .config
  
Discussions (18)
Title Replies (including bot) Last reply
[PATCH 4.19 000/425] 4.19.191-rc1 review 438 (438) 2021/06/24 10:04
[PATCH 5.10 000/530] 5.10.37-rc1 review 571 (571) 2021/05/25 00:23
[PATCH 4.9 000/240] 4.9.269-rc1 review 245 (245) 2021/05/21 16:52
[PATCH 4.14 000/323] 4.14.233-rc1 review 326 (326) 2021/05/21 05:55
[PATCH 4.4 000/190] 4.4.269-rc1 review 196 (196) 2021/05/20 21:46
[PATCH AUTOSEL 5.12 001/116] ath11k: fix thermal temperature read 119 (119) 2021/05/14 13:04
[PATCH 5.12 000/677] 5.12.4-rc1 review 694 (694) 2021/05/13 20:33
[PATCH 5.11 000/601] 5.11.21-rc1 review 607 (607) 2021/05/13 20:32
[PATCH 5.4 000/244] 5.4.119-rc1 review 258 (258) 2021/05/13 20:31
[PATCH AUTOSEL 5.11 001/104] ath11k: fix thermal temperature read 106 (106) 2021/05/06 00:14
[PATCH AUTOSEL 4.4 01/19] fs: dlm: fix debugfs dump 19 (19) 2021/05/05 16:42
[PATCH AUTOSEL 4.9 01/22] fs: dlm: fix debugfs dump 22 (22) 2021/05/05 16:41
[PATCH AUTOSEL 4.14 01/25] fs: dlm: fix debugfs dump 25 (25) 2021/05/05 16:40
[PATCH AUTOSEL 4.19 01/32] fs: dlm: fix debugfs dump 32 (32) 2021/05/05 16:40
[PATCH AUTOSEL 5.4 01/46] fs: dlm: fix debugfs dump 46 (46) 2021/05/05 16:38
[PATCH AUTOSEL 5.10 01/85] ath11k: fix thermal temperature read 85 (85) 2021/05/05 16:36
[PATCH] Bluetooth: verify AMP hci_chan before amp_destroy 2 (2) 2021/03/22 16:01
KASAN: use-after-free Read in hci_send_acl 0 (2) 2020/08/04 05:53
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-use-after-free Read in hci_send_acl bluetooth C done done 1323 284d 457d 0/28 auto-obsoleted due to no activity on 2024/04/20 13:01
linux-4.19 KASAN: use-after-free Read in hci_send_acl C done 3 1280d 1571d 1/1 fixed on 2021/06/23 17:43
linux-4.14 KASAN: use-after-free Read in hci_send_acl C error 4 819d 1571d 0/1 upstream: reported C repro on 2020/08/02 14:47
Fix bisection attempts (7)
Created Duration User Patch Repo Result
2021/03/01 07:10 19m bisect fix upstream OK (0) job log log
2021/02/06 16:02 0m bisect fix upstream error job log
2021/01/07 15:46 15m bisect fix upstream OK (0) job log log
2020/12/07 15:09 16m bisect fix upstream OK (0) job log log
2020/11/07 06:43 15m bisect fix upstream OK (0) job log log
2020/10/08 04:43 16m bisect fix upstream OK (0) job log log
2020/09/02 15:48 15m bisect fix upstream OK (0) job log log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in hci_send_acl+0xabe/0xc60 net/bluetooth/hci_core.c:3991
Read of size 8 at addr ffff8880a6ff8818 by task kworker/u5:2/6855

CPU: 1 PID: 6855 Comm: kworker/u5:2 Not tainted 5.8.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci0 hci_rx_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x436 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 hci_send_acl+0xabe/0xc60 net/bluetooth/hci_core.c:3991
 l2cap_send_cmd+0x6d5/0x8a0 net/bluetooth/l2cap_core.c:949
 l2cap_send_move_chan_cfm_icid net/bluetooth/l2cap_core.c:4917 [inline]
 l2cap_move_fail net/bluetooth/l2cap_core.c:5401 [inline]
 l2cap_move_channel_rsp net/bluetooth/l2cap_core.c:5440 [inline]
 l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:5719 [inline]
 l2cap_sig_channel net/bluetooth/l2cap_core.c:6418 [inline]
 l2cap_recv_frame+0x6936/0xae10 net/bluetooth/l2cap_core.c:7660
 l2cap_recv_acldata+0x7f6/0x8e0 net/bluetooth/l2cap_core.c:8313
 hci_acldata_packet net/bluetooth/hci_core.c:4520 [inline]
 hci_rx_work+0x4c7/0xb10 net/bluetooth/hci_core.c:4710
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:291
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Allocated by task 6855:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:494
 kmem_cache_alloc_trace+0x14f/0x2d0 mm/slab.c:3551
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 hci_chan_create+0x9b/0x330 net/bluetooth/hci_conn.c:1692
 l2cap_conn_add.part.0+0x1e/0xe10 net/bluetooth/l2cap_core.c:7699
 l2cap_conn_add net/bluetooth/l2cap_core.c:8139 [inline]
 l2cap_connect_cfm+0x23b/0x1090 net/bluetooth/l2cap_core.c:8097
 hci_connect_cfm include/net/bluetooth/hci_core.h:1340 [inline]
 hci_remote_features_evt net/bluetooth/hci_event.c:3210 [inline]
 hci_event_packet+0x3e01/0x86f5 net/bluetooth/hci_event.c:6061
 hci_rx_work+0x22e/0xb10 net/bluetooth/hci_core.c:4705
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:291
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Freed by task 6855:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 kasan_set_free_info mm/kasan/common.c:316 [inline]
 __kasan_slab_free+0xf5/0x140 mm/kasan/common.c:455
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x103/0x2c0 mm/slab.c:3757
 hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:4999 [inline]
 hci_event_packet+0x319a/0x86f5 net/bluetooth/hci_event.c:6188
 hci_rx_work+0x22e/0xb10 net/bluetooth/hci_core.c:4705
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:291
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

The buggy address belongs to the object at ffff8880a6ff8800
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 24 bytes inside of
 128-byte region [ffff8880a6ff8800, ffff8880a6ff8880)
The buggy address belongs to the page:
page:ffffea00029bfe00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a6ff8c00
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002934388 ffff8880aa001540 ffff8880aa000700
raw: ffff8880a6ff8c00 ffff8880a6ff8000 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a6ff8700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a6ff8780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a6ff8800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff8880a6ff8880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a6ff8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/08/02 19:29 upstream ac3a0c847296 63a73341 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/08/02 13:37 upstream ac3a0c847296 63a73341 .config console log report syz C ci-upstream-kasan-gce-smack-root
* Struck through repros no longer work on HEAD.