From: Joe Lawrence Subject: [RHEL7.9 KPATCH v2] bluetooth: kpatch fixes for CVE-2021-33034 Date: Thu, 10 Jun 2021 16:45:14 -0400 Kernels: 3.10.0-1160.el7 3.10.0-1160.2.1.el7 3.10.0-1160.2.2.el7 3.10.0-1160.6.1.el7 3.10.0-1160.11.1.el7 3.10.0-1160.15.2.el7 3.10.0-1160.21.1.el7 3.10.0-1160.24.1.el7 3.10.0-1160.25.1.el7 3.10.0-1160.31.1.el7 Changes since last build: [x86_64]: hci_event.o: changed function: hci_event_packet hci_event.o: changed function: hci_loglink_complete_evt.isra.120 hci_event.o: new function: hci_remote_name_evt.isra.69 hci_event.o: new function: hci_user_passkey_request_evt.isra.111 [ppc64le]: hci_event.o: changed function: hci_cmd_status_evt hci_event.o: changed function: hci_event_packet hci_event.o: changed function: hci_inquiry_complete_evt.isra.37 hci_event.o: changed function: hci_inquiry_result_evt.isra.46 hci_event.o: changed function: hci_keypress_notify_evt.isra.109 hci_event.o: changed function: hci_le_meta_evt hci_event.o: changed function: hci_link_key_request_evt.isra.49 hci_event.o: changed function: hci_num_comp_blocks_evt.isra.117 hci_event.o: changed function: hci_remote_ext_features_evt.isra.64 hci_event.o: changed function: hci_sync_conn_complete_evt.isra.103 hci_event.o: changed function: hci_user_passkey_notify_evt.isra.108 hci_event.o: new function: conn_set_key hci_event.o: new function: hci_auth_complete_evt.isra.61 hci_event.o: new function: hci_conn_request_evt.isra.56 hci_event.o: new function: hci_inquiry_result_with_rssi_evt.isra.47 hci_event.o: new function: hci_io_capa_request_evt.isra.104 hci_event.o: new function: hci_outgoing_auth_needed.isra.2.part.3 hci_event.o: new function: hci_pscan_rep_mode_evt.isra.54 hci_event.o: new function: hci_remote_host_features_evt.isra.55 hci_event.o: new function: hci_simple_pair_complete_evt.isra.62 --------------------------- Kernels: 3.10.0-1160.el7 3.10.0-1160.2.1.el7 3.10.0-1160.2.2.el7 3.10.0-1160.6.1.el7 3.10.0-1160.11.1.el7 3.10.0-1160.15.2.el7 3.10.0-1160.21.1.el7 3.10.0-1160.24.1.el7 3.10.0-1160.25.1.el7 3.10.0-1160.31.1.el7 Modifications: none commit e103bba0f15a04cb71a2a472973a1ad79aabfd7a Author: Gopal Tiwari Date: Thu May 20 12:01:15 2021 +0530 Bluetooth: verify AMP hci_chan before amp_destroy Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1962532 CVE: CVE-2021-33034 Testing: Sanity_only. Upstream: Merged. commit 5c4c8c9544099bb9043a10a5318130a943e32fc3 Author: Archie Pusaka Date: Mon Mar 22 14:03:11 2021 +0800 Bluetooth: verify AMP hci_chan before amp_destroy hci_chan can be created in 2 places: hci_loglink_complete_evt() if it is an AMP hci_chan, or l2cap_conn_add() otherwise. In theory, Only AMP hci_chan should be removed by a call to hci_disconn_loglink_complete_evt(). However, the controller might mess up, call that function, and destroy an hci_chan which is not initiated by hci_loglink_complete_evt(). This patch adds a verification that the destroyed hci_chan must have been init'd by hci_loglink_complete_evt(). Example crash call trace: Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xe3/0x144 lib/dump_stack.c:118 print_address_description+0x67/0x22a mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report mm/kasan/report.c:412 [inline] kasan_report+0x251/0x28f mm/kasan/report.c:396 hci_send_acl+0x3b/0x56e net/bluetooth/hci_core.c:4072 l2cap_send_cmd+0x5af/0x5c2 net/bluetooth/l2cap_core.c:877 l2cap_send_move_chan_cfm_icid+0x8e/0xb1 net/bluetooth/l2cap_core.c:4661 l2cap_move_fail net/bluetooth/l2cap_core.c:5146 [inline] l2cap_move_channel_rsp net/bluetooth/l2cap_core.c:5185 [inline] l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:5464 [inline] l2cap_sig_channel net/bluetooth/l2cap_core.c:5799 [inline] l2cap_recv_frame+0x1d12/0x51aa net/bluetooth/l2cap_core.c:7023 l2cap_recv_acldata+0x2ea/0x693 net/bluetooth/l2cap_core.c:7596 hci_acldata_packet net/bluetooth/hci_core.c:4606 [inline] hci_rx_work+0x2bd/0x45e net/bluetooth/hci_core.c:4796 process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175 worker_thread+0x4fc/0x670 kernel/workqueue.c:2321 kthread+0x2f0/0x304 kernel/kthread.c:253 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415 Allocated by task 38: set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0x8d/0x9a mm/kasan/kasan.c:553 kmem_cache_alloc_trace+0x102/0x129 mm/slub.c:2787 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] hci_chan_create+0x86/0x26d net/bluetooth/hci_conn.c:1674 l2cap_conn_add.part.0+0x1c/0x814 net/bluetooth/l2cap_core.c:7062 l2cap_conn_add net/bluetooth/l2cap_core.c:7059 [inline] l2cap_connect_cfm+0x134/0x852 net/bluetooth/l2cap_core.c:7381 hci_connect_cfm+0x9d/0x122 include/net/bluetooth/hci_core.h:1404 hci_remote_ext_features_evt net/bluetooth/hci_event.c:4161 [inline] hci_event_packet+0x463f/0x72fa net/bluetooth/hci_event.c:5981 hci_rx_work+0x197/0x45e net/bluetooth/hci_core.c:4791 process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175 worker_thread+0x4fc/0x670 kernel/workqueue.c:2321 kthread+0x2f0/0x304 kernel/kthread.c:253 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415 Freed by task 1732: set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free mm/kasan/kasan.c:521 [inline] __kasan_slab_free+0x106/0x128 mm/kasan/kasan.c:493 slab_free_hook mm/slub.c:1409 [inline] slab_free_freelist_hook+0xaa/0xf6 mm/slub.c:1436 slab_free mm/slub.c:3009 [inline] kfree+0x182/0x21e mm/slub.c:3972 hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:4891 [inline] hci_event_packet+0x6a1c/0x72fa net/bluetooth/hci_event.c:6050 hci_rx_work+0x197/0x45e net/bluetooth/hci_core.c:4791 process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175 worker_thread+0x4fc/0x670 kernel/workqueue.c:2321 kthread+0x2f0/0x304 kernel/kthread.c:253 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff8881d7af9180 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 24 bytes inside of 128-byte region [ffff8881d7af9180, ffff8881d7af9200) The buggy address belongs to the page: page:ffffea00075ebe40 count:1 mapcount:0 mapping:ffff8881da403200 index:0x0 flags: 0x8000000000000200(slab) raw: 8000000000000200 dead000000000100 dead000000000200 ffff8881da403200 raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881d7af9080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8881d7af9100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff8881d7af9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881d7af9200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881d7af9280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Signed-off-by: Archie Pusaka Reported-by: syzbot+98228e7407314d2d4ba2@syzkaller.appspotmail.com Reviewed-by: Alain Michaud Reviewed-by: Abhishek Pandit-Subedi Signed-off-by: Marcel Holtmann Signed-off-by: Gopal Tiwari Signed-off-by: Joel Savitz for v1 Signed-off-by: Joe Lawrence Acked-by: Artem Savkov Acked-by: Yannick Cote --- v1: - not posted, but Joel sent to my e-mail v2: - minor code cleanup from v1, removed intermediate variables - a bunchmore ppc64le inlines changed, but this time I didn't attempt to steer the compiler. I assume it's a similar fool's errand as with 8.4, only with even more functions to worry about. - tested repro on ppc64le Z-Status: merged KT0 test PASS: https://beaker.engineering.redhat.com/jobs/5461337 for kpatch-patch-3_10_0-1160-1-7.el7 scratch build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=37392562 net/bluetooth/hci_event.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index e17aacbc5630..613b2493288f 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -29,6 +29,9 @@ #include #include #include +#include + +#define KLP_CVE_2021_33034_HCHAN_AMP 0x2021330340000000 #include "hci_request.h" #include "hci_debugfs.h" @@ -4394,6 +4397,11 @@ static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) return; hchan->handle = le16_to_cpu(ev->handle); + if (!klp_shadow_get_or_alloc(hchan, KLP_CVE_2021_33034_HCHAN_AMP, + 0, GFP_KERNEL, NULL, NULL)) { + hci_chan_del(hchan); + return; + } BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan); @@ -4426,9 +4434,10 @@ static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, hci_dev_lock(hdev); hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle)); - if (!hchan) + if (!hchan || !klp_shadow_get(hchan, KLP_CVE_2021_33034_HCHAN_AMP)) goto unlock; + klp_shadow_free(hchan, KLP_CVE_2021_33034_HCHAN_AMP, NULL); amp_destroy_logical_link(hchan, ev->reason); unlock: -- 2.26.3