Message ID | 20240404124723.2429464-1-edumazet@google.com |
---|---|
State | New |
Headers | show |
Series | [net] Bluetooth: validate setsockopt(RFCOMM_LM) user input | expand |
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=841427
---Test result---
Test Summary:
CheckPatch FAIL 1.03 seconds
GitLint FAIL 0.60 seconds
SubjectPrefix PASS 0.13 seconds
BuildKernel PASS 31.16 seconds
CheckAllWarning PASS 33.60 seconds
CheckSparse PASS 39.51 seconds
CheckSmatch FAIL 35.71 seconds
BuildKernel32 PASS 29.72 seconds
TestRunnerSetup PASS 536.32 seconds
TestRunner_l2cap-tester PASS 20.05 seconds
TestRunner_iso-tester PASS 30.80 seconds
TestRunner_bnep-tester PASS 4.75 seconds
TestRunner_mgmt-tester FAIL 111.92 seconds
TestRunner_rfcomm-tester PASS 7.43 seconds
TestRunner_sco-tester PASS 17.66 seconds
TestRunner_ioctl-tester PASS 7.83 seconds
TestRunner_mesh-tester PASS 5.95 seconds
TestRunner_smp-tester PASS 6.80 seconds
TestRunner_userchan-tester PASS 5.04 seconds
IncrementalBuild PASS 29.10 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[net] Bluetooth: validate setsockopt(RFCOMM_LM) user input
WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?)
#104:
CPU: 0 PID: 5064 Comm: syz-executor632 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
WARNING: Possible repeated word: 'Google'
#105:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#204:
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
total: 0 errors, 3 warnings, 0 checks, 10 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13617810.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[net] Bluetooth: validate setsockopt(RFCOMM_LM) user input
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
6: B1 Line exceeds max length (95>80): " BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]"
7: B1 Line exceeds max length (88>80): " BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]"
8: B1 Line exceeds max length (102>80): " BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline]"
9: B1 Line exceeds max length (101>80): " BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673"
12: B1 Line exceeds max length (89>80): "CPU: 0 PID: 5064 Comm: syz-executor632 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0"
13: B1 Line exceeds max length (89>80): "Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024"
33: B1 Line exceeds max length (199>80): "Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48"
66: B1 Line exceeds max length (90>80): "page:ffffea0000826a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x209a8"
73: B1 Line exceeds max length (164>80): "page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 9917548498, free_ts 0"
115: B1 Line exceeds max length (81>80): "Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com> (supporter:BLUETOOTH SUBSYSTEM)"
##############################
Test: CheckSmatch - FAIL
Desc: Run smatch tool with source
Output:
Segmentation fault (core dumped)
make[4]: *** [scripts/Makefile.build:244: net/bluetooth/hci_core.o] Error 139
make[4]: *** Deleting file 'net/bluetooth/hci_core.o'
make[3]: *** [scripts/Makefile.build:485: net/bluetooth] Error 2
make[2]: *** [scripts/Makefile.build:485: net] Error 2
make[2]: *** Waiting for unfinished jobs....
Segmentation fault (core dumped)
make[4]: *** [scripts/Makefile.build:244: drivers/bluetooth/bcm203x.o] Error 139
make[4]: *** Deleting file 'drivers/bluetooth/bcm203x.o'
make[4]: *** Waiting for unfinished jobs....
make[3]: *** [scripts/Makefile.build:485: drivers/bluetooth] Error 2
make[2]: *** [scripts/Makefile.build:485: drivers] Error 2
make[1]: *** [/github/workspace/src/src/Makefile:1919: .] Error 2
make: *** [Makefile:240: __sub-make] Error 2
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 492, Passed: 489 (99.4%), Failed: 1, Not Run: 2
Failed Test Cases
LL Privacy - Add Device 5 (2 Devices to RL) Failed 0.163 seconds
---
Regards,
Linux Bluetooth
On Thu, Apr 04, 2024 at 12:47:23PM +0000, Eric Dumazet wrote: > syzbot reported rfcomm_sock_setsockopt_old() is copying data without > checking user input length. > > BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] > BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] > BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline] > BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673 > Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064 > > CPU: 0 PID: 5064 Comm: syz-executor632 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 > Call Trace: > <TASK> > __dump_stack lib/dump_stack.c:88 [inline] > dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 > print_address_description mm/kasan/report.c:377 [inline] > print_report+0x169/0x550 mm/kasan/report.c:488 > kasan_report+0x143/0x180 mm/kasan/report.c:601 > copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] > copy_from_sockptr include/linux/sockptr.h:55 [inline] > rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline] > rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673 > do_sock_setsockopt+0x3af/0x720 net/socket.c:2311 > __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 > __do_sys_setsockopt net/socket.c:2343 [inline] > __se_sys_setsockopt net/socket.c:2340 [inline] > __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 > do_syscall_64+0xfb/0x240 > entry_SYSCALL_64_after_hwframe+0x6d/0x75 > RIP: 0033:0x7f36ff898dc9 > Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007ffe010c2208 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 > RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f36ff898dc9 > RDX: 0000000000000003 RSI: 0000000000000012 RDI: 0000000000000006 > RBP: 0000000000000006 R08: 0000000000000002 R09: 0000000000000000 > R10: 00000000200000c0 R11: 0000000000000246 R12: 0000555567399338 > R13: 000000000000000e R14: 0000000000000000 R15: 0000000000000000 > </TASK> > > Allocated by task 5064: > kasan_save_stack mm/kasan/common.c:47 [inline] > kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 > poison_kmalloc_redzone mm/kasan/common.c:370 [inline] > __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 > kasan_kmalloc include/linux/kasan.h:211 [inline] > __do_kmalloc_node mm/slub.c:3966 [inline] > __kmalloc+0x233/0x4a0 mm/slub.c:3979 > kmalloc include/linux/slab.h:632 [inline] > __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869 > do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293 > __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 > __do_sys_setsockopt net/socket.c:2343 [inline] > __se_sys_setsockopt net/socket.c:2340 [inline] > __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 > do_syscall_64+0xfb/0x240 > entry_SYSCALL_64_after_hwframe+0x6d/0x75 > > The buggy address belongs to the object at ffff8880209a8bc0 > which belongs to the cache kmalloc-8 of size 8 > The buggy address is located 1 bytes to the right of > allocated 2-byte region [ffff8880209a8bc0, ffff8880209a8bc2) > > The buggy address belongs to the physical page: > page:ffffea0000826a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x209a8 > flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff) > page_type: 0xffffffff() > raw: 00fff00000000800 ffff888014c41280 ffffea000081fb80 dead000000000002 > raw: 0000000000000000 0000000080800080 00000001ffffffff 0000000000000000 > page dumped because: kasan: bad access detected > page_owner tracks the page as allocated > page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 9917548498, free_ts 0 > set_page_owner include/linux/page_owner.h:31 [inline] > post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533 > prep_new_page mm/page_alloc.c:1540 [inline] > get_page_from_freelist+0x33ea/0x3580 mm/page_alloc.c:3311 > __alloc_pages+0x256/0x680 mm/page_alloc.c:4569 > __alloc_pages_node include/linux/gfp.h:238 [inline] > alloc_pages_node include/linux/gfp.h:261 [inline] > alloc_slab_page+0x5f/0x160 mm/slub.c:2175 > allocate_slab mm/slub.c:2338 [inline] > new_slab+0x84/0x2f0 mm/slub.c:2391 > ___slab_alloc+0xc73/0x1260 mm/slub.c:3525 > __slab_alloc mm/slub.c:3610 [inline] > __slab_alloc_node mm/slub.c:3663 [inline] > slab_alloc_node mm/slub.c:3835 [inline] > __do_kmalloc_node mm/slub.c:3965 [inline] > __kmalloc+0x2e5/0x4a0 mm/slub.c:3979 > kmalloc_array include/linux/slab.h:665 [inline] > kcalloc include/linux/slab.h:696 [inline] > group_cpus_evenly+0x294/0x5f0 lib/group_cpus.c:365 > blk_mq_map_queues+0x4c/0x3e0 block/blk-mq-cpumap.c:23 > blk_mq_alloc_tag_set+0x7ac/0xf40 block/blk-mq.c:4521 > nbd_dev_add+0x367/0xc80 drivers/block/nbd.c:1831 > nbd_init+0x224/0x2e0 drivers/block/nbd.c:2593 > do_one_initcall+0x238/0x830 init/main.c:1241 > do_initcall_level+0x157/0x210 init/main.c:1303 > do_initcalls+0x3f/0x80 init/main.c:1319 > kernel_init_freeable+0x435/0x5d0 init/main.c:1550 > page_owner free stack trace missing > > Memory state around the buggy address: > ffff8880209a8a80: 06 fc fc fc 06 fc fc fc 06 fc fc fc 07 fc fc fc > ffff8880209a8b00: fa fc fc fc 05 fc fc fc 05 fc fc fc 05 fc fc fc > >ffff8880209a8b80: fa fc fc fc fa fc fc fc 02 fc fc fc fa fc fc fc > ^ > ffff8880209a8c00: 00 fc fc fc 00 fc fc fc 00 fc fc fc 05 fc fc fc > ffff8880209a8c80: 05 fc fc fc 05 fc fc fc fa fc fc fc 00 fc fc fc > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Reported-by: syzbot <syzkaller@googlegroups.com> > Signed-off-by: Eric Dumazet <edumazet@google.com> > Cc: Marcel Holtmann <marcel@holtmann.org> > Cc: Johan Hedberg <johan.hedberg@gmail.com> > Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com> (supporter:BLUETOOTH SUBSYSTEM) > Cc: linux-bluetooth@vger.kernel.org Reviewed-by: Simon Horman <horms@kernel.org>
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index b54e8a530f55a1ff9547a2a5546db34059ebd672..39155b41e9d781a4099bb7b7f29bb53d8fc63e9e 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c @@ -629,6 +629,10 @@ static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, switch (optname) { case RFCOMM_LM: + if (optlen < sizeof(u32)) { + err = -EINVAL; + break; + } if (copy_from_sockptr(&opt, optval, sizeof(u32))) { err = -EFAULT; break;