kernel_samsung_a53x/net
Gui-Dong Han f8b9ebd7f6 Bluetooth: Fix atomicity violation in {min,max}_key_size_set
commit da9065caa594d19b26e1a030fd0cc27bd365d685 upstream.

In min_key_size_set():
    if (val > hdev->le_max_key_size || val < SMP_MIN_ENC_KEY_SIZE)
        return -EINVAL;
    hci_dev_lock(hdev);
    hdev->le_min_key_size = val;
    hci_dev_unlock(hdev);

In max_key_size_set():
    if (val > SMP_MAX_ENC_KEY_SIZE || val < hdev->le_min_key_size)
        return -EINVAL;
    hci_dev_lock(hdev);
    hdev->le_max_key_size = val;
    hci_dev_unlock(hdev);

The atomicity violation occurs due to concurrent execution of set_min and
set_max funcs.Consider a scenario where setmin writes a new, valid 'min'
value, and concurrently, setmax writes a value that is greater than the
old 'min' but smaller than the new 'min'. In this case, setmax might check
against the old 'min' value (before acquiring the lock) but write its
value after the 'min' has been updated by setmin. This leads to a
situation where the 'max' value ends up being smaller than the 'min'
value, which is an inconsistency.

This possible bug is found by an experimental static analysis tool
developed by our team, BassCheck[1]. This tool analyzes the locking APIs
to extract function pairs that can be concurrently executed, and then
analyzes the instructions in the paired functions to identify possible
concurrency bugs including data races and atomicity violations. The above
possible bug is reported when our tool analyzes the source code of
Linux 5.17.

To resolve this issue, it is suggested to encompass the validity checks
within the locked sections in both set_min and set_max funcs. The
modification ensures that the validation of 'val' against the
current min/max values is atomic, thus maintaining the integrity of the
settings. With this patch applied, our tool no longer reports the bug,
with the kernel configuration allyesconfig for x86_64. Due to the lack of
associated hardware, we cannot test the patch in runtime testing, and just
verify it according to the code logic.

[1] https://sites.google.com/view/basscheck/

Fixes: 18f81241b74f ("Bluetooth: Move {min,max}_key_size debugfs ...")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <2045gemini@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-11-18 12:12:47 +01:00
..
6lowpan
9p 9p/net: fix possible memory leak in p9_check_errors() 2024-11-18 12:12:01 +01:00
802
8021q net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev() 2024-11-18 12:11:59 +01:00
appletalk appletalk: Fix Use-After-Free in atalk_ioctl 2024-11-18 12:11:49 +01:00
atm atm: Fix Use-After-Free in do_vcc_ioctl 2024-11-18 12:11:49 +01:00
ax25
batman-adv net: vlan: introduce skb_vlan_eth_hdr() 2024-11-18 12:11:48 +01:00
bluetooth Bluetooth: Fix atomicity violation in {min,max}_key_size_set 2024-11-18 12:12:47 +01:00
bpf
bpfilter
bridge netfilter: nf_conntrack_bridge: initialize err to 0 2024-11-18 11:43:20 +01:00
caif
can
ceph
core neighbour: Don't let neigh_forced_gc() disable preemption for long 2024-11-18 12:12:16 +01:00
dcb
dccp
decnet
dns_resolver keys, dns: Fix size check of V1 server-list header 2024-11-18 12:12:43 +01:00
dsa
ethernet
ethtool
hsr
ieee802154
ife net: sched: ife: fix potential use-after-free 2024-11-18 12:11:59 +01:00
ipv4 net: Remove acked SYN flag from packet in the transmit queue correctly 2024-11-18 12:11:49 +01:00
ipv6 ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() 2024-11-18 12:12:38 +01:00
iucv
kcm
key
l2tp
l3mdev
lapb
llc
mac80211 wifi: mac80211: mesh_plink: fix matches_local logic 2024-11-18 12:11:58 +01:00
mac802154
mpls
mptcp mptcp: fix uninit-value in mptcp_incoming_options 2024-11-18 12:12:12 +01:00
ncm
ncsi net/ncsi: Fix netlink major/minor version numbers 2024-11-18 12:12:28 +01:00
netfilter netfilter: nf_tables: mark newset as dead on transaction abort 2024-11-18 12:12:38 +01:00
netlabel calipso: fix memory leak in netlbl_calipso_add_pass() 2024-11-18 12:12:25 +01:00
netlink drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group 2024-11-18 12:11:46 +01:00
netrom
nfc nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local 2024-11-18 12:12:06 +01:00
nsh
openvswitch
packet packet: Move reference count in packet_sock to atomic_long_t 2024-11-18 12:11:42 +01:00
phonet
psample psample: Require 'CAP_NET_ADMIN' when joining "packets" group 2024-11-18 12:11:46 +01:00
qrtr
rds
rfkill net: rfkill: gpio: set GPIO direction 2024-11-18 12:12:01 +01:00
rose net/rose: fix races in rose_kill_by_device() 2024-11-18 12:11:59 +01:00
rxrpc
sched net: sched: em_text: fix possible memory leak in em_text_destroy() 2024-11-18 12:12:06 +01:00
sctp
skb_tracer
smc net/smc: avoid data corruption caused by decline 2024-11-18 12:10:55 +01:00
strparser
sunrpc SUNRPC: Fix RPC client cleaned up the freed pipefs dentries 2024-11-18 11:43:19 +01:00
switchdev
tipc tipc: Fix kernel-infoleak due to uninitialized TLV value 2024-11-18 11:43:19 +01:00
tls net: tls, update curr on splice as well 2024-11-18 12:12:08 +01:00
unix
vmw_vsock virtio/vsock: fix logic which reduces credit update messages 2024-11-18 12:12:37 +01:00
wimax
wireless wifi: cfg80211: fix certs build to not depend on file order 2024-11-18 12:12:00 +01:00
x25
xdp
xfrm
compat.c
devres.c
Kconfig
Makefile
socket.c net: Save and restore msg_namelen in sock_sendmsg 2024-11-18 12:12:07 +01:00
sysctl_net.c
TEST_MAPPING