linux

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2024-12-28 00:33:16 +00:00

History

Thadeu Lima de Souza Cascardo b548f5e945 Bluetooth: btmtk: avoid UAF in btmtk_process_coredump hci_devcd_append may lead to the release of the skb, so it cannot be accessed once it is called. ================================================================== BUG: KASAN: slab-use-after-free in btmtk_process_coredump+0x2a7/0x2d0 [btmtk] Read of size 4 at addr ffff888033cfabb0 by task kworker/0:3/82 CPU: 0 PID: 82 Comm: kworker/0:3 Tainted: G U 6.6.40-lockdep-03464-g1d8b4eb3060e #1 b0b3c1cc0c842735643fb411799d97921d1f688c Hardware name: Google Yaviks_Ufs/Yaviks_Ufs, BIOS Google_Yaviks_Ufs.15217.552.0 05/07/2024 Workqueue: events btusb_rx_work [btusb] Call Trace: <TASK> dump_stack_lvl+0xfd/0x150 print_report+0x131/0x780 kasan_report+0x177/0x1c0 btmtk_process_coredump+0x2a7/0x2d0 [btmtk 03edd567dd71a65958807c95a65db31d433e1d01] btusb_recv_acl_mtk+0x11c/0x1a0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec] btusb_rx_work+0x9e/0xe0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec] worker_thread+0xe44/0x2cc0 kthread+0x2ff/0x3a0 ret_from_fork+0x51/0x80 ret_from_fork_asm+0x1b/0x30 </TASK> Allocated by task 82: stack_trace_save+0xdc/0x190 kasan_set_track+0x4e/0x80 __kasan_slab_alloc+0x4e/0x60 kmem_cache_alloc+0x19f/0x360 skb_clone+0x132/0xf70 btusb_recv_acl_mtk+0x104/0x1a0 [btusb] btusb_rx_work+0x9e/0xe0 [btusb] worker_thread+0xe44/0x2cc0 kthread+0x2ff/0x3a0 ret_from_fork+0x51/0x80 ret_from_fork_asm+0x1b/0x30 Freed by task 1733: stack_trace_save+0xdc/0x190 kasan_set_track+0x4e/0x80 kasan_save_free_info+0x28/0xb0 ____kasan_slab_free+0xfd/0x170 kmem_cache_free+0x183/0x3f0 hci_devcd_rx+0x91a/0x2060 [bluetooth] worker_thread+0xe44/0x2cc0 kthread+0x2ff/0x3a0 ret_from_fork+0x51/0x80 ret_from_fork_asm+0x1b/0x30 The buggy address belongs to the object at ffff888033cfab40 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 112 bytes inside of freed 232-byte region [ffff888033cfab40, ffff888033cfac28) The buggy address belongs to the physical page: page:00000000a174ba93 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33cfa head:00000000a174ba93 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x4000000000000840(slab\|head\|zone=1) page_type: 0xffffffff() raw: 4000000000000840 ffff888100848a00 0000000000000000 0000000000000001 raw: 0000000000000000 0000000080190019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888033cfaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff888033cfab00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb >ffff888033cfab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888033cfac00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ffff888033cfac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Check if we need to call hci_devcd_complete before calling hci_devcd_append. That requires that we check data->cd_info.cnt >= MTK_COREDUMP_NUM instead of data->cd_info.cnt > MTK_COREDUMP_NUM, as we increment data->cd_info.cnt only once the call to hci_devcd_append succeeds. Fixes: `0b70151328` ("Bluetooth: btusb: mediatek: add MediaTek devcoredump support") Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>		2024-12-12 09:25:28 -05:00
..
ath3k.c	move asm/unaligned.h to linux/unaligned.h	2024-10-02 17:23:23 -04:00
bcm203x.c	Bluetooth: bcm203x: remove superfluous header files	2022-03-18 17:12:09 +01:00
bfusb.c	Bluetooth: bfusb: fix division by zero in send path	2021-10-25 15:04:46 +02:00
bluecard_cs.c	Bluetooth: Use fallthrough pseudo-keyword	2020-07-10 19:09:42 +02:00
bpa10x.c	Bluetooth: bpa10x: change return value	2019-09-04 16:11:46 +02:00
bt3c_cs.c	Bluetooth: bt3c_cs: Fix obsolete function	2018-09-27 12:57:39 +02:00
btbcm.c	Bluetooth: btbcm: fix missing of_node_put() in btbcm_get_board_name()	2024-11-14 15:35:40 -05:00
btbcm.h	Bluetooth: hci_bcm: Add support for FW loading in autobaud mode	2022-07-21 17:04:38 -07:00
btintel_pcie.c	Bluetooth: btintel_pcie: Replace deprecated PCI functions	2024-11-14 15:34:40 -05:00
btintel_pcie.h	Bluetooth: btintel_pcie: Add recovery mechanism	2024-11-14 15:30:53 -05:00
btintel.c	Bluetooth: btintel: Direct exception event to bluetooth stack	2024-11-14 15:40:55 -05:00
btintel.h	Bluetooth: btintel: Add DSBR support for BlazarIW, BlazarU and GaP	2024-11-14 15:31:30 -05:00
btmrvl_debugfs.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_390.RULE	2022-06-10 14:51:36 +02:00
btmrvl_drv.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_390.RULE	2022-06-10 14:51:36 +02:00
btmrvl_main.c	Bluetooth: HCI: Remove HCI_AMP support	2024-05-14 10:54:49 -04:00
btmrvl_sdio.c	Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq()	2024-09-27 10:52:19 -04:00
btmrvl_sdio.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_390.RULE	2022-06-10 14:51:36 +02:00
btmtk.c	Bluetooth: btmtk: avoid UAF in btmtk_process_coredump	2024-12-12 09:25:28 -05:00
btmtk.h	Bluetooth: btmtk: remove #ifdef around declarations	2024-07-26 10:56:54 -04:00
btmtksdio.c	Bluetooth: btmtksdio: Lookup device node only as fallback	2024-11-14 15:31:12 -05:00
btmtkuart.c	bluetooth: Fix typos in the comments	2024-11-14 15:28:07 -05:00
btnxpuart.c	Bluetooth: btnxpuart: Add GPIO support to power save feature	2024-11-14 15:29:37 -05:00
btqca.c	Bluetooth: qca: Fix error code in qca_read_fw_build_info()	2024-05-14 10:51:09 -04:00
btqca.h	Bluetooth: qca: clean up defines	2024-05-14 10:51:07 -04:00
btqcomsmd.c	Get rid of 'remove_new' relic from platform driver struct	2024-12-01 15:12:43 -08:00
btrsi.c	move asm/unaligned.h to linux/unaligned.h	2024-10-02 17:23:23 -04:00
btrtl.c	Bluetooth: btrtl: Decrease HCI_OP_RESET timeout from 10 s to 2 s	2024-11-14 15:35:57 -05:00
btrtl.h	Bluetooth: btrtl: Add Realtek devcoredump support	2023-08-11 11:35:14 -07:00
btsdio.c	Bluetooth: btsdio: Do not bind to non-removable CYW4373	2024-09-12 12:24:08 -04:00
btusb.c	Bluetooth: btusb: Add 3 HWIDs for MT7925	2024-11-14 15:38:18 -05:00
dtl1_cs.c	networking: add and use skb_put_u8()	2017-06-16 11:48:40 -04:00
h4_recv.h	move asm/unaligned.h to linux/unaligned.h	2024-10-02 17:23:23 -04:00
hci_ag6xx.c	Bluetooth: hci_uart: Remove redundant assignment to fw_ptr	2021-06-26 07:52:41 +02:00
hci_aml.c	Bluetooth: hci_uart: Add support for Amlogic HCI UART	2024-09-10 12:44:10 -04:00
hci_ath.c	Bluetooth: hci_uart: check for missing tty operations	2019-07-31 13:17:33 -07:00
hci_bcm4377.c	move asm/unaligned.h to linux/unaligned.h	2024-10-02 17:23:23 -04:00
hci_bcm.c	Get rid of 'remove_new' relic from platform driver struct	2024-12-01 15:12:43 -08:00
hci_bcsp.c	move asm/unaligned.h to linux/unaligned.h	2024-10-02 17:23:23 -04:00
hci_h4.c	move asm/unaligned.h to linux/unaligned.h	2024-10-02 17:23:23 -04:00
hci_h5.c	Bluetooth: btrtl: fix out of bounds memory access	2024-03-06 17:26:21 -05:00
hci_intel.c	Get rid of 'remove_new' relic from platform driver struct	2024-12-01 15:12:43 -08:00
hci_ldisc.c	bluetooth: Fix typos in the comments	2024-11-14 15:28:07 -05:00
hci_ll.c	bluetooth: Fix typos in the comments	2024-11-14 15:28:07 -05:00
hci_mrvl.c	Bluetooth: hci_mrvl: Add serdev support for 88W8997	2023-04-23 21:45:29 -07:00
hci_nokia.c	bluetooth: Fix typos in the comments	2024-11-14 15:28:07 -05:00
hci_qca.c	Bluetooth: hci_qca: use devm_clk_get_optional_enabled_with_rate()	2024-11-14 15:31:50 -05:00
hci_serdev.c	Bluetooth: HCI: Remove HCI_AMP support	2024-05-14 10:54:49 -04:00
hci_uart.h	Bluetooth: hci_uart: Add support for Amlogic HCI UART	2024-09-10 12:44:10 -04:00
hci_vhci.c	move asm/unaligned.h to linux/unaligned.h	2024-10-02 17:23:23 -04:00
Kconfig	Bluetooth: add HAS_IOPORT dependencies	2024-10-28 21:44:27 +00:00
Makefile	Bluetooth: hci_uart: Add support for Amlogic HCI UART	2024-09-10 12:44:10 -04:00
virtio_bt.c	virtio: rename virtio_find_vqs_info() to virtio_find_vqs()	2024-07-17 05:20:58 -04:00