syzbot


KASAN: use-after-free Read in hci_send_acl

Status: fixed on 2021/06/23 17:43
Reported-by: syzbot+48bc29a1de014a0776b9@syzkaller.appspotmail.com
Fix commit: 75e26178e26f Bluetooth: verify AMP hci_chan before amp_destroy
First crash: 911d, last: 620d

Fix bisection: fixed by (bisect log) :
commit 75e26178e26f910f7f26c79c2824b726eecf0dfb
Author: Archie Pusaka <apusaka@chromium.org>
Date: Mon Mar 22 06:03:11 2021 +0000

  Bluetooth: verify AMP hci_chan before amp_destroy

similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in hci_send_acl C done 2 701d 911d 22/24 fixed on 2021/11/10 00:50
linux-4.14 KASAN: use-after-free Read in hci_send_acl C error 4 159d 912d 0/1 upstream: reported C repro on 2020/08/02 14:47

Sample crash report:
Bluetooth: Wrong link type (-22)
Bluetooth: Wrong link type (-22)
Bluetooth: Wrong link type (-22)
Bluetooth: Wrong link type (-22)
==================================================================
BUG: KASAN: use-after-free in hci_send_acl+0xad6/0xc70 net/bluetooth/hci_core.c:3652
Read of size 8 at addr ffff8880996b6498 by task kworker/u5:1/6463

CPU: 0 PID: 6463 Comm: kworker/u5:1 Not tainted 4.19.136-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci0 hci_rx_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
 hci_send_acl+0xad6/0xc70 net/bluetooth/hci_core.c:3652
 l2cap_send_cmd+0x1bd/0x210 net/bluetooth/l2cap_core.c:874
 l2cap_information_req net/bluetooth/l2cap_core.c:4450 [inline]
 l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:5442 [inline]
 l2cap_sig_channel net/bluetooth/l2cap_core.c:5793 [inline]
 l2cap_recv_frame+0x1e75/0xa550 net/bluetooth/l2cap_core.c:7017
 l2cap_recv_acldata+0x80e/0x910 net/bluetooth/l2cap_core.c:7588
 hci_acldata_packet net/bluetooth/hci_core.c:4178 [inline]
 hci_rx_work+0x455/0xa90 net/bluetooth/hci_core.c:4364
 process_one_work+0x864/0x1570 kernel/workqueue.c:2155
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2298
 kthread+0x30b/0x410 kernel/kthread.c:246
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 1225:
 kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
 kmalloc include/linux/slab.h:515 [inline]
 kzalloc include/linux/slab.h:709 [inline]
 hci_chan_create+0x8e/0x310 net/bluetooth/hci_conn.c:1651
 l2cap_conn_add.part.0+0x18/0xc40 net/bluetooth/l2cap_core.c:7056
 l2cap_conn_add net/bluetooth/l2cap_core.c:7415 [inline]
 l2cap_connect_cfm+0x236/0xe70 net/bluetooth/l2cap_core.c:7373
 hci_connect_cfm include/net/bluetooth/hci_core.h:1246 [inline]
 hci_remote_features_evt net/bluetooth/hci_event.c:3017 [inline]
 hci_event_packet+0x3a31/0x858f net/bluetooth/hci_event.c:5779
 hci_rx_work+0x46b/0xa90 net/bluetooth/hci_core.c:4359
 process_one_work+0x864/0x1570 kernel/workqueue.c:2155
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2298
 kthread+0x30b/0x410 kernel/kthread.c:246
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Freed by task 6463:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:4755 [inline]
 hci_event_packet+0xf52/0x858f net/bluetooth/hci_event.c:5906
 hci_rx_work+0x46b/0xa90 net/bluetooth/hci_core.c:4359
 process_one_work+0x864/0x1570 kernel/workqueue.c:2155
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2298
 kthread+0x30b/0x410 kernel/kthread.c:246
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

The buggy address belongs to the object at ffff8880996b6480
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 24 bytes inside of
 128-byte region [ffff8880996b6480, ffff8880996b6500)
The buggy address belongs to the page:
page:ffffea000265ad80 count:1 mapcount:0 mapping:ffff88812c39c640 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea0002a18fc8 ffff88812c394548 ffff88812c39c640
raw: 0000000000000000 ffff8880996b6000 0000000100000015 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880996b6380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8880996b6400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8880996b6480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff8880996b6500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8880996b6580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================

Crashes (3):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci2-linux-4-19 2020/08/05 03:55 linux-4.19.y 13af6c74b14a 02034dac .config console log report syz C
ci2-linux-4-19 2020/08/03 22:01 linux-4.19.y 13af6c74b14a 96dd3623 .config console log report syz C
ci2-linux-4-19 2020/08/02 21:29 linux-4.19.y 13af6c74b14a 96dd3623 .config console log report syz C
* Struck through repros no longer work on HEAD.