From: Yuxuan Hu <20373622(a)buaa.edu.cn>
maillist inclusion
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8YV3O
CVE: CVE-2024-22099
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/…
--------------------------------
During our fuzz testing of the connection and disconnection process at the
RFCOMM layer, we discovered this bug. By comparing the packets from a
normal connection and disconnection process with the testcase that
triggered a KASAN report. We analyzed the cause of this bug as follows:
1. In the packets captured during a normal connection, the host sends a
`Read Encryption Key Size` type of `HCI_CMD` packet
(Command Opcode: 0x1408) to the controller to inquire the length of
encryption key.After receiving this packet, the controller immediately
replies with a Command Completepacket (Event Code: 0x0e) to return the
Encryption Key Size.
2. In our fuzz test case, the timing of the controller's response to this
packet was delayed to an unexpected point: after the RFCOMM and L2CAP
layers had disconnected but before the HCI layer had disconnected.
3. After receiving the Encryption Key Size Response at the time described
in point 2, the host still called the rfcomm_check_security function.
However, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;`
had already been released, and when the function executed
`return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`,
specifically when accessing `conn->hcon`, a null-ptr-deref error occurred.
To fix this bug, check if `sk->sk_state` is BT_CLOSED before calling
rfcomm_recv_frame in rfcomm_process_rx.
Signed-off-by: Yuxuan Hu <20373622(a)buaa.edu.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com>
Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com>
---
net/bluetooth/rfcomm/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index b98225d65e87..6dff0d925400 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1903,7 +1903,7 @@ static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
/* Get data directly from socket receive queue without copying it. */
while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
skb_orphan(skb);
- if (!skb_linearize(skb)) {
+ if (!skb_linearize(skb) && sk->sk_state != BT_CLOSED) {
s = rfcomm_recv_frame(s, skb);
if (!s)
break;
--
2.34.1
tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS
head: 992b5fc139d3aa14b25613b06adee4bb9c110b28
commit: b8ba22a604e4d0a3ad8e23af22f432e12b6f1a65 [17239/21577] nvme: fix compat address handling in several ioctls
config: arm64-randconfig-002-20240125 (https://download.01.org/0day-ci/archive/20240127/202401271204.lWrJHpqI-lkp@…)
compiler: aarch64-linux-gcc (GCC) 13.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240127/202401271204.lWrJHpqI-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202401271204.lWrJHpqI-lkp@intel.com/
All errors (new ones prefixed by >>):
drivers/nvme/host/core.c: In function 'nvme_to_user_ptr':
>> drivers/nvme/host/core.c:1163:27: error: 'compat_uptr_t' undeclared (first use in this function); did you mean 'compat_time_t'?
1163 | ptrval = (compat_uptr_t)ptrval;
| ^~~~~~~~~~~~~
| compat_time_t
drivers/nvme/host/core.c:1163:27: note: each undeclared identifier is reported only once for each function it appears in
>> drivers/nvme/host/core.c:1163:41: error: expected ';' before 'ptrval'
1163 | ptrval = (compat_uptr_t)ptrval;
| ^~~~~~
| ;
vim +1163 drivers/nvme/host/core.c
1154
1155 /*
1156 * Convert integer values from ioctl structures to user pointers, silently
1157 * ignoring the upper bits in the compat case to match behaviour of 32-bit
1158 * kernels.
1159 */
1160 static void __user *nvme_to_user_ptr(uintptr_t ptrval)
1161 {
1162 if (in_compat_syscall())
> 1163 ptrval = (compat_uptr_t)ptrval;
1164 return (void __user *)ptrval;
1165 }
1166
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
From: Yuxuan Hu <20373622(a)buaa.edu.cn>
maillist inclusion
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8YV3O
CVE: CVE-2024-22099
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/…
--------------------------------
During our fuzz testing of the connection and disconnection process at the
RFCOMM layer, we discovered this bug. By comparing the packets from a
normal connection and disconnection process with the testcase that
triggered a KASAN report. We analyzed the cause of this bug as follows:
1. In the packets captured during a normal connection, the host sends a
`Read Encryption Key Size` type of `HCI_CMD` packet
(Command Opcode: 0x1408) to the controller to inquire the length of
encryption key.After receiving this packet, the controller immediately
replies with a Command Completepacket (Event Code: 0x0e) to return the
Encryption Key Size.
2. In our fuzz test case, the timing of the controller's response to this
packet was delayed to an unexpected point: after the RFCOMM and L2CAP
layers had disconnected but before the HCI layer had disconnected.
3. After receiving the Encryption Key Size Response at the time described
in point 2, the host still called the rfcomm_check_security function.
However, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;`
had already been released, and when the function executed
`return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`,
specifically when accessing `conn->hcon`, a null-ptr-deref error occurred.
To fix this bug, check if `sk->sk_state` is BT_CLOSED before calling
rfcomm_recv_frame in rfcomm_process_rx.
Signed-off-by: Yuxuan Hu <20373622(a)buaa.edu.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com>
Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com>
---
net/bluetooth/rfcomm/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 8d6fce9005bd..4f54c7df3a94 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1937,7 +1937,7 @@ static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
/* Get data directly from socket receive queue without copying it. */
while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
skb_orphan(skb);
- if (!skb_linearize(skb)) {
+ if (!skb_linearize(skb) && sk->sk_state != BT_CLOSED) {
s = rfcomm_recv_frame(s, skb);
if (!s)
break;
--
2.34.1
tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS
head: 992b5fc139d3aa14b25613b06adee4bb9c110b28
commit: fdda68feeca82610ccbcdcbda7250623a6d187d2 [13850/21577] arm64/ascend: Set mem_sleep_current to PM_SUSPEND_ON for ascend platform
config: arm64-randconfig-002-20240125 (https://download.01.org/0day-ci/archive/20240127/202401270152.apkuohJO-lkp@…)
compiler: aarch64-linux-gcc (GCC) 13.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240127/202401270152.apkuohJO-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202401270152.apkuohJO-lkp@intel.com/
All errors (new ones prefixed by >>):
arch/arm64/mm/init.c:469:13: warning: no previous prototype for 'arm64_memblock_init' [-Wmissing-prototypes]
469 | void __init arm64_memblock_init(void)
| ^~~~~~~~~~~~~~~~~~~
arch/arm64/mm/init.c: In function 'ascend_enable_setup':
>> arch/arm64/mm/init.c:784:17: error: 'mem_sleep_current' undeclared (first use in this function)
784 | mem_sleep_current = PM_SUSPEND_ON;
| ^~~~~~~~~~~~~~~~~
arch/arm64/mm/init.c:784:17: note: each undeclared identifier is reported only once for each function it appears in
vim +/mem_sleep_current +784 arch/arm64/mm/init.c
770
771 #ifdef CONFIG_ASCEND_FEATURES
772 static int __init ascend_enable_setup(char *__unused)
773 {
774 if (IS_ENABLED(CONFIG_ASCEND_DVPP_MMAP))
775 enable_mmap_dvpp = 1;
776
777 if (IS_ENABLED(CONFIG_ASCEND_IOPF_HIPRI))
778 enable_iopf_hipri = 1;
779
780 if (IS_ENABLED(CONFIG_ASCEND_CHARGE_MIGRATE_HUGEPAGES))
781 enable_charge_mighp = 1;
782
783 if (IS_ENABLED(CONFIG_SUSPEND))
> 784 mem_sleep_current = PM_SUSPEND_ON;
785
786 return 1;
787 }
788
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki