Blob Blame History Raw
From: Joe Lawrence <joe.lawrence@redhat.com>
Subject: [RHEL8.4 KPATCH v2] bluetooth: kpatch fixes for CVE-2021-33034
Date: Thu, 10 Jun 2021 09:06:37 -0400

Changes since last build:
[x86_64]:
hci_event.o: changed function: hci_event_packet

[ppc64le]:
hci_event.o: changed function: hci_event_packet
hci_event.o: new function: hci_resolve_name

---------------------------

Kernels:
4.18.0-305.el8
4.18.0-305.3.1.el8_4

Modifications:
- Remove modification of struct hci_chan and add hchan_amp
  shadow variable as flag instead

commit 418fac0a2503c7e5b310052431cecab67a0efb8f
Author: Gopal Tiwari <gtiwari@redhat.com>
Date:   Thu May 20 11:27:10 2021 +0530

    Bluetooth: verify AMP hci_chan before amp_destroy

    Bugzilla: https://bugzilla.redhat.com/1962544
    CVE: CVE-2021-33034
    Y-Commit: 162078c99ca2f976692d81b532a9eea80332cf82

    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1962546

    O-CVE: CVE-2021-33034

    Testing: Verified by me with the help of reproducer.
    https://bugzilla.redhat.com/show_bug.cgi?id=1962546#c1

    Upstream: Merged.

    commit 5c4c8c9544099bb9043a10a5318130a943e32fc3
    Author: Archie Pusaka <apusaka@chromium.org>
    Date:   Mon Mar 22 14:03:11 2021 +0800

    Bluetooth: verify AMP hci_chan before amp_destroy

    hci_chan can be created in 2 places: hci_loglink_complete_evt() if
    it is an AMP hci_chan, or l2cap_conn_add() otherwise. In theory,
    Only AMP hci_chan should be removed by a call to
    hci_disconn_loglink_complete_evt(). However, the controller might mess
    up, call that function, and destroy an hci_chan which is not initiated
    by hci_loglink_complete_evt().

    This patch adds a verification that the destroyed hci_chan must have
    been init'd by hci_loglink_complete_evt().

    Example crash call trace:
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0xe3/0x144 lib/dump_stack.c:118
     print_address_description+0x67/0x22a mm/kasan/report.c:256
     kasan_report_error mm/kasan/report.c:354 [inline]
     kasan_report mm/kasan/report.c:412 [inline]
     kasan_report+0x251/0x28f mm/kasan/report.c:396
     hci_send_acl+0x3b/0x56e net/bluetooth/hci_core.c:4072
     l2cap_send_cmd+0x5af/0x5c2 net/bluetooth/l2cap_core.c:877
     l2cap_send_move_chan_cfm_icid+0x8e/0xb1 net/bluetooth/l2cap_core.c:4661
     l2cap_move_fail net/bluetooth/l2cap_core.c:5146 [inline]
     l2cap_move_channel_rsp net/bluetooth/l2cap_core.c:5185 [inline]
     l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:5464 [inline]
     l2cap_sig_channel net/bluetooth/l2cap_core.c:5799 [inline]
     l2cap_recv_frame+0x1d12/0x51aa net/bluetooth/l2cap_core.c:7023
     l2cap_recv_acldata+0x2ea/0x693 net/bluetooth/l2cap_core.c:7596
     hci_acldata_packet net/bluetooth/hci_core.c:4606 [inline]
     hci_rx_work+0x2bd/0x45e net/bluetooth/hci_core.c:4796
     process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175
     worker_thread+0x4fc/0x670 kernel/workqueue.c:2321
     kthread+0x2f0/0x304 kernel/kthread.c:253
     ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415

    Allocated by task 38:
     set_track mm/kasan/kasan.c:460 [inline]
     kasan_kmalloc+0x8d/0x9a mm/kasan/kasan.c:553
     kmem_cache_alloc_trace+0x102/0x129 mm/slub.c:2787
     kmalloc include/linux/slab.h:515 [inline]
     kzalloc include/linux/slab.h:709 [inline]
     hci_chan_create+0x86/0x26d net/bluetooth/hci_conn.c:1674
     l2cap_conn_add.part.0+0x1c/0x814 net/bluetooth/l2cap_core.c:7062
     l2cap_conn_add net/bluetooth/l2cap_core.c:7059 [inline]
     l2cap_connect_cfm+0x134/0x852 net/bluetooth/l2cap_core.c:7381
     hci_connect_cfm+0x9d/0x122 include/net/bluetooth/hci_core.h:1404
     hci_remote_ext_features_evt net/bluetooth/hci_event.c:4161 [inline]
     hci_event_packet+0x463f/0x72fa net/bluetooth/hci_event.c:5981
     hci_rx_work+0x197/0x45e net/bluetooth/hci_core.c:4791
     process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175
     worker_thread+0x4fc/0x670 kernel/workqueue.c:2321
     kthread+0x2f0/0x304 kernel/kthread.c:253
     ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415

    Freed by task 1732:
     set_track mm/kasan/kasan.c:460 [inline]
     __kasan_slab_free mm/kasan/kasan.c:521 [inline]
     __kasan_slab_free+0x106/0x128 mm/kasan/kasan.c:493
     slab_free_hook mm/slub.c:1409 [inline]
     slab_free_freelist_hook+0xaa/0xf6 mm/slub.c:1436
     slab_free mm/slub.c:3009 [inline]
     kfree+0x182/0x21e mm/slub.c:3972
     hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:4891 [inline]
     hci_event_packet+0x6a1c/0x72fa net/bluetooth/hci_event.c:6050
     hci_rx_work+0x197/0x45e net/bluetooth/hci_core.c:4791
     process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175
     worker_thread+0x4fc/0x670 kernel/workqueue.c:2321
     kthread+0x2f0/0x304 kernel/kthread.c:253
     ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415

    The buggy address belongs to the object at ffff8881d7af9180
     which belongs to the cache kmalloc-128 of size 128
    The buggy address is located 24 bytes inside of
     128-byte region [ffff8881d7af9180, ffff8881d7af9200)
    The buggy address belongs to the page:
    page:ffffea00075ebe40 count:1 mapcount:0 mapping:ffff8881da403200 index:0x0
    flags: 0x8000000000000200(slab)
    raw: 8000000000000200 dead000000000100 dead000000000200 ffff8881da403200
    raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
    page dumped because: kasan: bad access detected

    Memory state around the buggy address:
     ffff8881d7af9080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
     ffff8881d7af9100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
    >ffff8881d7af9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                ^
     ffff8881d7af9200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     ffff8881d7af9280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

    Signed-off-by: Archie Pusaka <apusaka@chromium.org>
    Reported-by: syzbot+98228e7407314d2d4ba2@syzkaller.appspotmail.com
    Reviewed-by: Alain Michaud <alainm@chromium.org>
    Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    (cherry picked from commit 5c4c8c9544099bb9043a10a5318130a943e32fc3)
    Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
    Signed-off-by: Jan Stancek <jstancek@redhat.com>

Signed-off-by: Joel Savitz <jsavitz@redhat.com> for v1
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Acked-by: Artem Savkov <asavkov@redhat.com>
Acked-by: Yannick Cote <ycote@redhat.com>

---

v2:
- minor code cleanup from v1, removed intermediate variables
- I tried forcing hci_resolve_name() as always_inline on ppc64le, but
  this cascaded into a series of neverending inline / half inline / etc.
  compiler decisions that I could never completely eliminate.

Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-8/-/merge_requests/692

KT0 test PASS: https://beaker.engineering.redhat.com/jobs/5457381
for kpatch-patch-4_18_0-193_1_2-1-12.el8_2 scratch build:
https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=37373415

 net/bluetooth/hci_event.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 8a7af33b0a3e..e66687f5b701 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -29,6 +29,9 @@
 #include <net/bluetooth/bluetooth.h>
 #include <net/bluetooth/hci_core.h>
 #include <net/bluetooth/mgmt.h>
+#include <linux/livepatch.h>
+
+#define KLP_CVE_2021_33034_HCHAN_AMP 0x2021330340000000
 
 #include "hci_request.h"
 #include "hci_debugfs.h"
@@ -4929,6 +4932,11 @@ static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
 		return;
 
 	hchan->handle = le16_to_cpu(ev->handle);
+	if (!klp_shadow_get_or_alloc(hchan, KLP_CVE_2021_33034_HCHAN_AMP,
+				     0, GFP_KERNEL, NULL, NULL)) {
+		hci_chan_del(hchan);
+		return;
+	}
 
 	BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
 
@@ -4961,9 +4969,10 @@ static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
 	hci_dev_lock(hdev);
 
 	hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
-	if (!hchan)
+	if (!hchan || !klp_shadow_get(hchan, KLP_CVE_2021_33034_HCHAN_AMP))
 		goto unlock;
 
+	klp_shadow_free(hchan, KLP_CVE_2021_33034_HCHAN_AMP, NULL);
 	amp_destroy_logical_link(hchan, ev->reason);
 
 unlock:
-- 
2.26.3