From: Joe Lawrence <joe.lawrence@redhat.com>
Subject: [RHEL8.4 KPATCH v2] bluetooth: kpatch fixes for CVE-2021-33034
Date: Thu, 10 Jun 2021 09:06:37 -0400
Changes since last build:
[x86_64]:
hci_event.o: changed function: hci_event_packet
[ppc64le]:
hci_event.o: changed function: hci_event_packet
hci_event.o: new function: hci_resolve_name
---------------------------
Kernels:
4.18.0-305.el8
4.18.0-305.3.1.el8_4
Modifications:
- Remove modification of struct hci_chan and add hchan_amp
shadow variable as flag instead
commit 418fac0a2503c7e5b310052431cecab67a0efb8f
Author: Gopal Tiwari <gtiwari@redhat.com>
Date: Thu May 20 11:27:10 2021 +0530
Bluetooth: verify AMP hci_chan before amp_destroy
Bugzilla: https://bugzilla.redhat.com/1962544
CVE: CVE-2021-33034
Y-Commit: 162078c99ca2f976692d81b532a9eea80332cf82
O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1962546
O-CVE: CVE-2021-33034
Testing: Verified by me with the help of reproducer.
https://bugzilla.redhat.com/show_bug.cgi?id=1962546#c1
Upstream: Merged.
commit 5c4c8c9544099bb9043a10a5318130a943e32fc3
Author: Archie Pusaka <apusaka@chromium.org>
Date: Mon Mar 22 14:03:11 2021 +0800
Bluetooth: verify AMP hci_chan before amp_destroy
hci_chan can be created in 2 places: hci_loglink_complete_evt() if
it is an AMP hci_chan, or l2cap_conn_add() otherwise. In theory,
Only AMP hci_chan should be removed by a call to
hci_disconn_loglink_complete_evt(). However, the controller might mess
up, call that function, and destroy an hci_chan which is not initiated
by hci_loglink_complete_evt().
This patch adds a verification that the destroyed hci_chan must have
been init'd by hci_loglink_complete_evt().
Example crash call trace:
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xe3/0x144 lib/dump_stack.c:118
print_address_description+0x67/0x22a mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report+0x251/0x28f mm/kasan/report.c:396
hci_send_acl+0x3b/0x56e net/bluetooth/hci_core.c:4072
l2cap_send_cmd+0x5af/0x5c2 net/bluetooth/l2cap_core.c:877
l2cap_send_move_chan_cfm_icid+0x8e/0xb1 net/bluetooth/l2cap_core.c:4661
l2cap_move_fail net/bluetooth/l2cap_core.c:5146 [inline]
l2cap_move_channel_rsp net/bluetooth/l2cap_core.c:5185 [inline]
l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:5464 [inline]
l2cap_sig_channel net/bluetooth/l2cap_core.c:5799 [inline]
l2cap_recv_frame+0x1d12/0x51aa net/bluetooth/l2cap_core.c:7023
l2cap_recv_acldata+0x2ea/0x693 net/bluetooth/l2cap_core.c:7596
hci_acldata_packet net/bluetooth/hci_core.c:4606 [inline]
hci_rx_work+0x2bd/0x45e net/bluetooth/hci_core.c:4796
process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175
worker_thread+0x4fc/0x670 kernel/workqueue.c:2321
kthread+0x2f0/0x304 kernel/kthread.c:253
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415
Allocated by task 38:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0x8d/0x9a mm/kasan/kasan.c:553
kmem_cache_alloc_trace+0x102/0x129 mm/slub.c:2787
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
hci_chan_create+0x86/0x26d net/bluetooth/hci_conn.c:1674
l2cap_conn_add.part.0+0x1c/0x814 net/bluetooth/l2cap_core.c:7062
l2cap_conn_add net/bluetooth/l2cap_core.c:7059 [inline]
l2cap_connect_cfm+0x134/0x852 net/bluetooth/l2cap_core.c:7381
hci_connect_cfm+0x9d/0x122 include/net/bluetooth/hci_core.h:1404
hci_remote_ext_features_evt net/bluetooth/hci_event.c:4161 [inline]
hci_event_packet+0x463f/0x72fa net/bluetooth/hci_event.c:5981
hci_rx_work+0x197/0x45e net/bluetooth/hci_core.c:4791
process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175
worker_thread+0x4fc/0x670 kernel/workqueue.c:2321
kthread+0x2f0/0x304 kernel/kthread.c:253
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415
Freed by task 1732:
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free mm/kasan/kasan.c:521 [inline]
__kasan_slab_free+0x106/0x128 mm/kasan/kasan.c:493
slab_free_hook mm/slub.c:1409 [inline]
slab_free_freelist_hook+0xaa/0xf6 mm/slub.c:1436
slab_free mm/slub.c:3009 [inline]
kfree+0x182/0x21e mm/slub.c:3972
hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:4891 [inline]
hci_event_packet+0x6a1c/0x72fa net/bluetooth/hci_event.c:6050
hci_rx_work+0x197/0x45e net/bluetooth/hci_core.c:4791
process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175
worker_thread+0x4fc/0x670 kernel/workqueue.c:2321
kthread+0x2f0/0x304 kernel/kthread.c:253
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415
The buggy address belongs to the object at ffff8881d7af9180
which belongs to the cache kmalloc-128 of size 128
The buggy address is located 24 bytes inside of
128-byte region [ffff8881d7af9180, ffff8881d7af9200)
The buggy address belongs to the page:
page:ffffea00075ebe40 count:1 mapcount:0 mapping:ffff8881da403200 index:0x0
flags: 0x8000000000000200(slab)
raw: 8000000000000200 dead000000000100 dead000000000200 ffff8881da403200
raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d7af9080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff8881d7af9100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8881d7af9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d7af9200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881d7af9280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Signed-off-by: Archie Pusaka <apusaka@chromium.org>
Reported-by: syzbot+98228e7407314d2d4ba2@syzkaller.appspotmail.com
Reviewed-by: Alain Michaud <alainm@chromium.org>
Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
(cherry picked from commit 5c4c8c9544099bb9043a10a5318130a943e32fc3)
Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
Signed-off-by: Jan Stancek <jstancek@redhat.com>
Signed-off-by: Joel Savitz <jsavitz@redhat.com> for v1
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Acked-by: Artem Savkov <asavkov@redhat.com>
Acked-by: Yannick Cote <ycote@redhat.com>
---
v2:
- minor code cleanup from v1, removed intermediate variables
- I tried forcing hci_resolve_name() as always_inline on ppc64le, but
this cascaded into a series of neverending inline / half inline / etc.
compiler decisions that I could never completely eliminate.
Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-8/-/merge_requests/692
KT0 test PASS: https://beaker.engineering.redhat.com/jobs/5457381
for kpatch-patch-4_18_0-193_1_2-1-12.el8_2 scratch build:
https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=37373415
net/bluetooth/hci_event.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 8a7af33b0a3e..e66687f5b701 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -29,6 +29,9 @@
#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/mgmt.h>
+#include <linux/livepatch.h>
+
+#define KLP_CVE_2021_33034_HCHAN_AMP 0x2021330340000000
#include "hci_request.h"
#include "hci_debugfs.h"
@@ -4929,6 +4932,11 @@ static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
return;
hchan->handle = le16_to_cpu(ev->handle);
+ if (!klp_shadow_get_or_alloc(hchan, KLP_CVE_2021_33034_HCHAN_AMP,
+ 0, GFP_KERNEL, NULL, NULL)) {
+ hci_chan_del(hchan);
+ return;
+ }
BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
@@ -4961,9 +4969,10 @@ static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
hci_dev_lock(hdev);
hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
- if (!hchan)
+ if (!hchan || !klp_shadow_get(hchan, KLP_CVE_2021_33034_HCHAN_AMP))
goto unlock;
+ klp_shadow_free(hchan, KLP_CVE_2021_33034_HCHAN_AMP, NULL);
amp_destroy_logical_link(hchan, ev->reason);
unlock:
--
2.26.3