archive mirror
 help / color / mirror / Atom feed
* Fw: [Bug 214729] New: Information leakage from kernel to user space in /net/bluetooth/hci_sock.c
@ 2021-10-16  0:25 Stephen Hemminger
  0 siblings, 0 replies; only message in thread
From: Stephen Hemminger @ 2021-10-16  0:25 UTC (permalink / raw)
  To: linux-bluetooth

Begin forwarded message:

Date: Fri, 15 Oct 2021 22:14:56 +0000
Subject: [Bug 214729] New: Information leakage from kernel to user space in /net/bluetooth/hci_sock.c

            Bug ID: 214729
           Summary: Information leakage from kernel to user space in
           Product: Networking
           Version: 2.5
    Kernel Version: 5.15-rc5
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: high
          Priority: P1
         Component: Other
        Regression: No

Hi Maintainers,
I recently reviewed the uninitialized value use bug in Linux kernel: 
and patch:

The vulnerable function is:
int __sys_getsockname(int fd, struct sockaddr __user *usockaddr,
                      int __user *usockaddr_len)
        struct socket *sock;
        struct sockaddr_storage address; // allocation
        int err, fput_needed;

        sock = sockfd_lookup_light(fd, &err, &fput_needed);
        if (!sock)
                goto out;

        err = security_socket_getsockname(sock);
        if (err)
                goto out_put;

        err = sock->ops->getname(sock, (struct sockaddr *)&address, 0); //
        if (err < 0)
                goto out_put;
        /* "err" is actually length in this case */
        err = move_addr_to_user(&address, err, usockaddr, usockaddr_len); //use

        fput_light(sock->file, fput_needed);
        return err;

static int move_addr_to_user(struct sockaddr_storage *kaddr, int klen,
                             void __user *uaddr, int __user *ulen)
        int err;
        int len;

        BUG_ON(klen > sizeof(struct sockaddr_storage));
        err = get_user(len, ulen);
        if (err)
                return err;
        if (len > klen)
                len = klen;
        if (len < 0)
                return -EINVAL;
        if (len) {
                if (audit_sockaddr(klen, kaddr))
                        return -ENOMEM;
                if (copy_to_user(uaddr, kaddr, len)) // use 
                        return -EFAULT;
         *      "fromlen shall refer to the value before truncation.."
         *                      1003.1g
        return __put_user(klen, ulen);

the variable address is allocated in __sys_getsockname, and then is initialized
in sock->ops->getname(sock, (struct sockaddr *)& address, 0); After that,
address is passed to move_addr_to_user() and finally it passed to
copy_to_user(), leading to uninitialized value use. 

Main reason for this bug: initialization in sock->ops->getname(sock, (struct
sockaddr *)&address, 0) is partially initialized.  It only initializes the
fields in the struct but not the holes between the fields. As a result, since
uaddr will be passed to copy_to_user(), and the holes inside the uaddr struct 
contain uninitialized data inherited from the kernel stack, it may cause
information leakage from kernel space to user space

Here is the initialization function:

static int isotp_getname(struct socket *sock, struct sockaddr *uaddr, int peer)
        struct sockaddr_can *addr = (struct sockaddr_can *)uaddr;
        struct sock *sk = sock->sk;
        struct isotp_sock *so = isotp_sk(sk);

        if (peer)
                return -EOPNOTSUPP;

        +memset(addr, 0, ISOTP_MIN_NAMELEN);//patch
        addr->can_family = AF_CAN;
        addr->can_ifindex = so->ifindex;
        addr-> = so->rxid;
        addr-> = so->txid;

        return ISOTP_MIN_NAMELEN;

The patch: memset() initializes the whole struct sockaddr_can, including the
holes within the struct sockaddr_can.

Sockaddr_can is declared here:
struct sockaddr_can {
        __kernel_sa_family_t can_family;
        int         can_ifindex;
        union {
                /* transport protocol class address information (e.g. ISOTP) */
                struct { canid_t rx_id, tx_id; } tp;

                /* J1939 address information */
                struct {
                        /* 8 byte name when using dynamic addressing */
                        __u64 name;

                        /* pgn:
                         * 8 bit: PS in PDU2 case, else 0
                         * 8 bit: PF
                         * 1 bit: DP
                         * 1 bit: reserved
                        __u32 pgn;

                        /* 1 byte address */
                        __u8 addr;
                } j1939;

                /* reserved for future CAN protocols address information */
        } can_addr;
There are a few holes inside the struct, but it doesn’t explicitly set to 0 in 

At the same time, I realized  sock->ops->getname(sock, (struct sockaddr
*)&address, 0) is an indirect call. Thus it may go to different functions at
the run time. If one of these functions doesn't initialize the holes within the
struct, it may cause an information leak from kernel space to userspace. 

My tools find similar cloned bugs
The same bug happen in /net/bluetooth/hci_sock.c

static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
                            int peer)
        struct sockaddr_hci *haddr = (struct sockaddr_hci *)addr;
        struct sock *sk = sock->sk;
        struct hci_dev *hdev;
        int err = 0;

        BT_DBG("sock %p sk %p", sock, sk);

        if (peer)
                return -EOPNOTSUPP;


        hdev = hci_hdev_from_sock(sk);
        if (IS_ERR(hdev)) {
                err = PTR_ERR(hdev);
                goto done;

        haddr->hci_family = AF_BLUETOOTH;
        haddr->hci_dev    = hdev->id;
        haddr->hci_channel= hci_pi(sk)->channel;
        err = sizeof(*haddr);

        return err;
sockaddr_hci is declared here:

struct sockaddr_hci {
        sa_family_t    hci_family;
        unsigned short hci_dev;
        unsigned short hci_channel;

We can see there is a hole between family and dev. Thus, we have to explicitly
set the hole to zero. Otherwise, the address will be passed to copy_to_user and
cause information leakage.

Suggested patch:
memset(maddr, 0, sizeof(sockaddr_hci));

Thank you for the review. I appreciate your time. 

Andrew Bao

You may reply to this email to add a comment.

You are receiving this mail because:
You are the assignee for the bug.

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2021-10-16  0:25 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-16  0:25 Fw: [Bug 214729] New: Information leakage from kernel to user space in /net/bluetooth/hci_sock.c Stephen Hemminger

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).