From patchwork Fri Jun 28 20:03:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Magali Lemes X-Patchwork-Id: 1954158 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4W9mb411WTz20b0 for ; Sat, 29 Jun 2024 06:03:28 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sNHoY-0006iW-0Y; Fri, 28 Jun 2024 20:03:22 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sNHoW-0006ht-AY for kernel-team@lists.ubuntu.com; Fri, 28 Jun 2024 20:03:20 +0000 Received: from mail-pl1-f198.google.com (mail-pl1-f198.google.com [209.85.214.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 0686E3F63C for ; Fri, 28 Jun 2024 20:03:18 +0000 (UTC) Received: by mail-pl1-f198.google.com with SMTP id d9443c01a7336-1fabc312e36so11191015ad.3 for ; Fri, 28 Jun 2024 13:03:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719604995; x=1720209795; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EQ5yr/J+DhCMHIRuOlAqkXb8eV6hUkXXlD7liI/FIHg=; b=ZDGBQFHNctB8ujKTUzeawGm79B/folXMQ4gQGp29s7ki8kbf9KcVF8FigHah7gSb1I ap/FHhzUFFzk3zR22bayupprFJrOISiy0uHeOn9UGYGFnbFPuWpttf/4/Kd48maG/nuu w9tthnGbNBS810S/xGpfXDuq1aQj431vZ3RWhMY3h3CHdBbwFDwge8X29Fky+w8T0OOf E0Mf2irAQoaytD04hvXp3NyykHZqbuPgS+Q1EQqr68kYkgTmcO9ZCWsmj1IEm6i3yFA8 iy1hL0JhuEm6ufjNoQfgZvaGhcMCi24gzIza5eje7UR/rHLwO1aHhPZX64LmF66ztWcR fMRA== X-Gm-Message-State: AOJu0YwyNrQ0mkaO6JZ1IVaMAkMwBSJOgA6TLR60V2KSJSRz3rqlKXaW h7JHriAzhpur+dKqg9wtnGm4AVLBQpjjOGddi5lgz1H9rA5153bgfoyCliGGZ+5/5H3JyxRSjIK +0zkfW5ywDjRa5waWOL3aI/dB8z9FeJvZvDiNGPJXy1gjgOHx/w82Ui4llBBHRzuRawPhlJDbAe +9Kef+nAsAxg== X-Received: by 2002:a05:6a20:a128:b0:1be:cf00:6545 with SMTP id adf61e73a8af0-1becf00671bmr9343185637.36.1719604995029; Fri, 28 Jun 2024 13:03:15 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGm9ILs1Vg7Pmz8j4FmYti5TkNW1ZSi7CWGXGf3tjHf9B91V9HlIRPthYEaz2C61+mfZ1gFyQ== X-Received: by 2002:a05:6a20:a128:b0:1be:cf00:6545 with SMTP id adf61e73a8af0-1becf00671bmr9343155637.36.1719604994588; Fri, 28 Jun 2024 13:03:14 -0700 (PDT) Received: from magali.. ([2804:14c:14a:8141:6db4:643:4d34:e9cd]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2c939ccb226sm45187a91.0.2024.06.28.13.03.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Jun 2024 13:03:13 -0700 (PDT) From: Magali Lemes To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 1/1] Bluetooth: af_bluetooth: Fix deadlock Date: Fri, 28 Jun 2024 17:03:06 -0300 Message-Id: <20240628200307.72936-2-magali.lemes@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240628200307.72936-1-magali.lemes@canonical.com> References: <20240628200307.72936-1-magali.lemes@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Luiz Augusto von Dentz Attemting to do sock_lock on .recvmsg may cause a deadlock as shown bellow, so instead of using sock_sock this uses sk_receive_queue.lock on bt_sock_ioctl to avoid the UAF: INFO: task kworker/u9:1:121 blocked for more than 30 seconds. Not tainted 6.7.6-lemon #183 Workqueue: hci0 hci_rx_work Call Trace: __schedule+0x37d/0xa00 schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270 ? finish_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 process_one_work+0x13a/0x2f0 worker_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 Fixes: 2e07e8348ea4 ("Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg") Signed-off-by: Luiz Augusto von Dentz (backported from commit f7b94bdc1ec107c92262716b073b3e816d4784fb) [magalilemes: upstream commit f4b41f062c42 ("net: remove noblock parameter from skb_recv_datagram()") does not exist in Focal, so skb_recv_datagram with an extra parameter provokes a small context conflict. Also accept incoming changes for the lines in bt_sock_ioctl(), which had context conflicts due to lack of b8ddc3b14c7a ("Bluetooth: fix indentation and alignment reported by checkpatch").] CVE-2024-26886 Signed-off-by: Magali Lemes --- net/bluetooth/af_bluetooth.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c index 87b16994edcc..53a6ac45adbb 100644 --- a/net/bluetooth/af_bluetooth.c +++ b/net/bluetooth/af_bluetooth.c @@ -263,14 +263,11 @@ int bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, if (flags & MSG_OOB) return -EOPNOTSUPP; - lock_sock(sk); - skb = skb_recv_datagram(sk, flags, noblock, &err); if (!skb) { if (sk->sk_shutdown & RCV_SHUTDOWN) err = 0; - release_sock(sk); return err; } @@ -293,8 +290,6 @@ int bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, skb_free_datagram(sk, skb); - release_sock(sk); - if (flags & MSG_TRUNC) copied = skblen; @@ -519,11 +514,12 @@ int bt_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) if (sk->sk_state == BT_LISTEN) return -EINVAL; - lock_sock(sk); + spin_lock(&sk->sk_receive_queue.lock); skb = skb_peek(&sk->sk_receive_queue); amount = skb ? skb->len : 0; - release_sock(sk); - err = put_user(amount, (int __user *) arg); + spin_unlock(&sk->sk_receive_queue.lock); + + err = put_user(amount, (int __user *)arg); break; default: