From patchwork Fri Jun 28 20:03:07 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Magali Lemes <magali.lemes@canonical.com>
X-Patchwork-Id: 1954157
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4W9mb357s6z1yhT
	for <incoming@patchwork.ozlabs.org>; Sat, 29 Jun 2024 06:03:27 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1sNHoY-0006im-6m; Fri, 28 Jun 2024 20:03:22 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <magali.lemes@canonical.com>)
 id 1sNHoW-0006i7-TX
 for kernel-team@lists.ubuntu.com; Fri, 28 Jun 2024 20:03:20 +0000
Received: from mail-pj1-f69.google.com (mail-pj1-f69.google.com
 [209.85.216.69])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 6DCE23F63C
 for <kernel-team@lists.ubuntu.com>; Fri, 28 Jun 2024 20:03:20 +0000 (UTC)
Received: by mail-pj1-f69.google.com with SMTP id
 98e67ed59e1d1-2c30144b103so893672a91.0
 for <kernel-team@lists.ubuntu.com>; Fri, 28 Jun 2024 13:03:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1719604997; x=1720209797;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=WAK30H5bYly1ofSQrU03uA+W/mSfO16EktIM+jlivJs=;
 b=ldWpMejpALFvEmzfxTU8L1N1rYUHtY4QDRRyvJuavo805eKCRxG4Hj/RXL/CjGBtT2
 xWt8lKGAkEHmX5or3sLAEOea3rTERwHyqFHJYuhyLPbCk3C/qdrRCRd+STZ1CC4aAUw+
 UfbPmHvl8XA+JAiWUhIhUMKT6Hy6c1pqOO43HjkaxUIEAqEkdqWsW2qQzATCQCseBIfE
 aWXQW5LJLK3C/pqB6gIO2AFiKbepbhZVxVvQBOuMJysPZTG08wy6qmm9nGYn6z1zQ0Wo
 s8tQINqCRHDeORnsyhKcvu6GwnV5lsrBFMFb8B+cbhhBlHA8v88yJ1Ec1kGfRaUiKpc/
 l3Ag==
X-Gm-Message-State: AOJu0Yw8VoAs7LvkEQ9qPCbep3cxVt8FA3BRNUbZTRglvHwQgRcC8ydZ
 VJTfTwU4dWlfZr1QwLDz4uCEIOaamrKVyT1J754Ah8Bgtp1KAxw357tdne/Cq3N4ooZ0tm206Kj
 SlTj913wKFA6QtzBGMqgHSwcfC7kolzVFvsd/RvqqZh8KcYsX03Z/2JibmA23RycKrln385VG45
 Snm5YJaSQCsQ==
X-Received: by 2002:a17:90b:4a90:b0:2c2:d590:808e with SMTP id
 98e67ed59e1d1-2c92776b558mr4148848a91.13.1719604997360;
 Fri, 28 Jun 2024 13:03:17 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IGweoc01zFWJG4ksAGA3u6ty98uPdni6SmPqA2UDXAkuSBOkFRAGIpehXaCjz4hBng0XQxTXQ==
X-Received: by 2002:a17:90b:4a90:b0:2c2:d590:808e with SMTP id
 98e67ed59e1d1-2c92776b558mr4148812a91.13.1719604996807;
 Fri, 28 Jun 2024 13:03:16 -0700 (PDT)
Received: from magali.. ([2804:14c:14a:8141:6db4:643:4d34:e9cd])
 by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-2c939ccb226sm45187a91.0.2024.06.28.13.03.14
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 28 Jun 2024 13:03:15 -0700 (PDT)
From: Magali Lemes <magali.lemes@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][J][PATCH 1/1] Bluetooth: af_bluetooth: Fix deadlock
Date: Fri, 28 Jun 2024 17:03:07 -0300
Message-Id: <20240628200307.72936-3-magali.lemes@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240628200307.72936-1-magali.lemes@canonical.com>
References: <20240628200307.72936-1-magali.lemes@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Attemting to do sock_lock on .recvmsg may cause a deadlock as shown
bellow, so instead of using sock_sock this uses sk_receive_queue.lock
on bt_sock_ioctl to avoid the UAF:

INFO: task kworker/u9:1:121 blocked for more than 30 seconds.
      Not tainted 6.7.6-lemon #183
Workqueue: hci0 hci_rx_work
Call Trace:
 <TASK>
 __schedule+0x37d/0xa00
 schedule+0x32/0xe0
 __lock_sock+0x68/0xa0
 ? __pfx_autoremove_wake_function+0x10/0x10
 lock_sock_nested+0x43/0x50
 l2cap_sock_recv_cb+0x21/0xa0
 l2cap_recv_frame+0x55b/0x30a0
 ? psi_task_switch+0xeb/0x270
 ? finish_task_switch.isra.0+0x93/0x2a0
 hci_rx_work+0x33a/0x3f0
 process_one_work+0x13a/0x2f0
 worker_thread+0x2f0/0x410
 ? __pfx_worker_thread+0x10/0x10
 kthread+0xe0/0x110
 ? __pfx_kthread+0x10/0x10
 ret_from_fork+0x2c/0x50
 ? __pfx_kthread+0x10/0x10
 ret_from_fork_asm+0x1b/0x30
 </TASK>

Fixes: 2e07e8348ea4 ("Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
(backported from commit f7b94bdc1ec107c92262716b073b3e816d4784fb)
[magalilemes: upstream commit f4b41f062c42 ("net: remove noblock
parameter from skb_recv_datagram()") does not exist in Jammy, so
skb_recv_datagram with an extra parameter provokes a small context
conflict.]
CVE-2024-26886
Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
---
 net/bluetooth/af_bluetooth.c | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index b7498e890f0b..9b491a72d62b 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -263,14 +263,11 @@ int bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
 	if (flags & MSG_OOB)
 		return -EOPNOTSUPP;
 
-	lock_sock(sk);
-
 	skb = skb_recv_datagram(sk, flags, noblock, &err);
 	if (!skb) {
 		if (sk->sk_shutdown & RCV_SHUTDOWN)
 			err = 0;
 
-		release_sock(sk);
 		return err;
 	}
 
@@ -296,8 +293,6 @@ int bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
 
 	skb_free_datagram(sk, skb);
 
-	release_sock(sk);
-
 	if (flags & MSG_TRUNC)
 		copied = skblen;
 
@@ -520,10 +515,11 @@ int bt_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
 		if (sk->sk_state == BT_LISTEN)
 			return -EINVAL;
 
-		lock_sock(sk);
+		spin_lock(&sk->sk_receive_queue.lock);
 		skb = skb_peek(&sk->sk_receive_queue);
 		amount = skb ? skb->len : 0;
-		release_sock(sk);
+		spin_unlock(&sk->sk_receive_queue.lock);
+
 		err = put_user(amount, (int __user *)arg);
 		break;