[BUG] Bluetooth: mgmt: Use-after-free in set_name_sync due to race condition

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello maintainers,

I would like to report  a use-after-free (UAF) vulnerability
identified in the Linux Bluetooth management (mgmt) subsystem using
our customized syzkaller on 6.17.0-rc5.

The vulnerability is caused by a race condition between an
asynchronous command execution running in a work queue
(`set_name_sync`) and the synchronous cleanup process during an HCI
device shutdown (`__mgmt_power_off`).

After my analysis, the situation when race occurs may be as follows:

Thread A (PID 189):
  1. User sends MGMT_OP_SET_LOCAL_NAME command
  2. mgmt_pending_add() allocates cmd object (ffff88810c9cd080)
  3. hci_cmd_sync_queue() schedules set_name_sync() for async execution

Thread A (PID 20963):
  4. User initiates HCI device shutdown
  5. __mgmt_power_off() → mgmt_pending_foreach() frees ALL pending commands
  6. mgmt_pending_free() deallocates the cmd object

Thread B (kworker):
  7. Work queue executes set_name_sync()
  8. Accesses freed cmd->param → UAF triggered

The detail KASAN report as follow:
==================================================================
BUG: KASAN: slab-use-after-free in set_name_sync+0x72/0x190
net/bluetooth/mgmt.c:3896
Read of size 8 at addr ffff88810c9cd0a0 by task kworker/u17:0/80

CPU: 3 UID: 0 PID: 80 Comm: kworker/u17:0 Not tainted
6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x191/0x550 mm/kasan/report.c:482
 kasan_report+0xc4/0x100 mm/kasan/report.c:595
 set_name_sync+0x72/0x190 net/bluetooth/mgmt.c:3896
 hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319
 worker_thread+0xbee/0x1200 kernel/workqueue.c:3400
 kthread+0x3c7/0x870 kernel/kthread.c:463
 ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 189:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x30/0x70 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
 __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 mgmt_pending_new+0x66/0x200 net/bluetooth/mgmt_util.c:269
 mgmt_pending_add+0x35/0x120 net/bluetooth/mgmt_util.c:296
 set_local_name+0x1cc/0x4f0 net/bluetooth/mgmt.c:3951
 hci_mgmt_cmd+0xc9f/0x11a0 net/bluetooth/hci_sock.c:1719
 hci_sock_sendmsg+0x69e/0xfe0 net/bluetooth/hci_sock.c:1839
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x223/0x270 net/socket.c:729
 sock_write_iter+0x2ae/0x3d0 net/socket.c:1179
 do_iter_readv_writev+0x67b/0x900
 vfs_writev+0x3ed/0xea0 fs/read_write.c:1057
 do_writev+0x144/0x2c0 fs/read_write.c:1103
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 20963:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x30/0x70 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2428 [inline]
 slab_free mm/slub.c:4701 [inline]
 kfree+0x199/0x3b0 mm/slub.c:4900
 mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]
 mgmt_pending_foreach+0x2cc/0x340 net/bluetooth/mgmt_util.c:257
 __mgmt_power_off+0x13a/0x390 net/bluetooth/mgmt.c:9439
 hci_dev_close_sync+0x769/0x10a0 net/bluetooth/hci_sync.c:5290
 hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]
 hci_dev_close+0x135/0x1d0 net/bluetooth/hci_core.c:526
 sock_do_ioctl+0x84/0x330 net/socket.c:1238
 sock_ioctl+0x558/0x700 net/socket.c:1359
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:598 [inline]
 __se_sys_ioctl+0xf3/0x160 fs/ioctl.c:584
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88810c9cd080
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 32 bytes inside of
 freed 96-byte region [ffff88810c9cd080, ffff88810c9cd0e0)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10c9cd
anon flags: 0x200000000000000(node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000000 ffff888100042280 ffffea00042c6000 dead000000000005
raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88810c9ccf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88810c9cd000: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>ffff88810c9cd080: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                               ^
 ffff88810c9cd100: 00 00 00 00 00 00 00 00 06 fc fc fc fc fc fc fc
 ffff88810c9cd180: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
==================================================================
[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux