1. 04 Nov, 2022 1 commit
    • Hans J. Schultz's avatar
      bridge: Add MAC Authentication Bypass (MAB) support · a35ec8e3
      Hans J. Schultz authored
      Hosts that support 802.1X authentication are able to authenticate
      themselves by exchanging EAPOL frames with an authenticator (Ethernet
      bridge, in this case) and an authentication server. Access to the
      network is only granted by the authenticator to successfully
      authenticated hosts.
      
      The above is implemented in the bridge using the "locked" bridge port
      option. When enabled, link-local frames (e.g., EAPOL) can be locally
      received by the bridge, but all other frames are dropped unless the host
      is authenticated. That is, unless the user space control plane installed
      an FDB entry according to which the source address of the frame is
      located behind the locked ingress port. The entry can be dynamic, in
      which case learning needs to be enabled so that the entry will be
      refreshed by incoming traffic.
      
      There are deployments in which not all the devices connected to the
      authenticator (the bridge) support 802.1X. Such devices can include
      printers and cameras. One option to support such deployments is to
      unlock the bridge ports connecting these devices, but a slightly more
      secure option is to use MAB. When MAB is enabled, the MAC address of the
      connected device is used as the user name and password for the
      authentication.
      
      For MAB to work, the user space control plane needs to be notified about
      MAC addresses that are trying to gain access so that they will be
      compared against an allow list. This can be implemented via the regular
      learning process with the sole difference that learned FDB entries are
      installed with a new "locked" flag indicating that the entry cannot be
      used to authenticate the device. The flag cannot be set by user space,
      but user space can clear the flag by replacing the entry, thereby
      authenticating the device.
      
      Locked FDB entries implement the following semantics with regards to
      roaming, aging and forwarding:
      
      1. Roaming: Locked FDB entries can roam to unlocked (authorized) ports,
         in which case the "locked" flag is cleared. FDB entries cannot roam
         to locked ports regardless of MAB being enabled or not. Therefore,
         locked FDB entries are only created if an FDB entry with the given {MAC,
         VID} does not already exist. This behavior prevents unauthenticated
         devices from disrupting traffic destined to already authenticated
         devices.
      
      2. Aging: Locked FDB entries age and refresh by incoming traffic like
         regular entries.
      
      3. Forwarding: Locked FDB entries forward traffic like regular entries.
         If user space detects an unauthorized MAC behind a locked port and
         wishes to prevent traffic with this MAC DA from reaching the host, it
         can do so using tc or a different mechanism.
      
      Enable the above behavior using a new bridge port option called "mab".
      It can only be enabled on a bridge port that is both locked and has
      learning enabled. Locked FDB entries are flushed from the port once MAB
      is disabled. A new option is added because there are pure 802.1X
      deployments that are not interested in notifications about locked FDB
      entries.
      Signed-off-by: default avatarHans J. Schultz <netdev@kapio-technology.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Acked-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Reviewed-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a35ec8e3
  2. 03 Nov, 2022 33 commits
  3. 02 Nov, 2022 6 commits
    • Luiz Augusto von Dentz's avatar
      Bluetooth: L2CAP: Fix attempting to access uninitialized memory · b1a2cd50
      Luiz Augusto von Dentz authored
      On l2cap_parse_conf_req the variable efs is only initialized if
      remote_efs has been set.
      
      CVE: CVE-2022-42895
      CC: stable@vger.kernel.org
      Reported-by: default avatarTamás Koczka <poprdi@google.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Reviewed-by: default avatarTedd Ho-Jeong An <tedd.an@intel.com>
      b1a2cd50
    • Luiz Augusto von Dentz's avatar
      Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm · f937b758
      Luiz Augusto von Dentz authored
      l2cap_global_chan_by_psm shall not return fixed channels as they are not
      meant to be connected by (S)PSM.
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Reviewed-by: default avatarTedd Ho-Jeong An <tedd.an@intel.com>
      f937b758
    • Luiz Augusto von Dentz's avatar
      Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM · 711f8c3f
      Luiz Augusto von Dentz authored
      The Bluetooth spec states that the valid range for SPSM is from
      0x0001-0x00ff so it is invalid to accept values outside of this range:
      
        BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
        page 1059:
        Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
      
      CVE: CVE-2022-42896
      CC: stable@vger.kernel.org
      Reported-by: default avatarTamás Koczka <poprdi@google.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Reviewed-by: default avatarTedd Ho-Jeong An <tedd.an@intel.com>
      711f8c3f
    • Luiz Augusto von Dentz's avatar
      Bluetooth: hci_conn: Fix not restoring ISO buffer count on disconnect · 5638d9ea
      Luiz Augusto von Dentz authored
      When disconnecting an ISO link the controller may not generate
      HCI_EV_NUM_COMP_PKTS for unacked packets which needs to be restored in
      hci_conn_del otherwise the host would assume they are still in use and
      would not be able to use all the buffers available.
      
      Fixes: 26afbd82 ("Bluetooth: Add initial implementation of CIS connections")
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      Tested-by: default avatarFrédéric Danis <frederic.danis@collabora.com>
      5638d9ea
    • Hawkins Jiawei's avatar
      Bluetooth: L2CAP: Fix memory leak in vhci_write · 7c9524d9
      Hawkins Jiawei authored
      Syzkaller reports a memory leak as follows:
      ====================================
      BUG: memory leak
      unreferenced object 0xffff88810d81ac00 (size 240):
        [...]
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff838733d9>] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:418
          [<ffffffff833f742f>] alloc_skb include/linux/skbuff.h:1257 [inline]
          [<ffffffff833f742f>] bt_skb_alloc include/net/bluetooth/bluetooth.h:469 [inline]
          [<ffffffff833f742f>] vhci_get_user drivers/bluetooth/hci_vhci.c:391 [inline]
          [<ffffffff833f742f>] vhci_write+0x5f/0x230 drivers/bluetooth/hci_vhci.c:511
          [<ffffffff815e398d>] call_write_iter include/linux/fs.h:2192 [inline]
          [<ffffffff815e398d>] new_sync_write fs/read_write.c:491 [inline]
          [<ffffffff815e398d>] vfs_write+0x42d/0x540 fs/read_write.c:578
          [<ffffffff815e3cdd>] ksys_write+0x9d/0x160 fs/read_write.c:631
          [<ffffffff845e0645>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
          [<ffffffff845e0645>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
          [<ffffffff84600087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
      ====================================
      
      HCI core will uses hci_rx_work() to process frame, which is queued to
      the hdev->rx_q tail in hci_recv_frame() by HCI driver.
      
      Yet the problem is that, HCI core may not free the skb after handling
      ACL data packets. To be more specific, when start fragment does not
      contain the L2CAP length, HCI core just copies skb into conn->rx_skb and
      finishes frame process in l2cap_recv_acldata(), without freeing the skb,
      which triggers the above memory leak.
      
      This patch solves it by releasing the relative skb, after processing
      the above case in l2cap_recv_acldata().
      
      Fixes: 4d7ea8ee ("Bluetooth: L2CAP: Fix handling fragmented length")
      Link: https://lore.kernel.org/all/0000000000000d0b1905e6aaef64@google.com/
      Reported-and-tested-by: syzbot+8f819e36e01022991cfa@syzkaller.appspotmail.com
      Signed-off-by: default avatarHawkins Jiawei <yin31149@gmail.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      7c9524d9
    • Zhengchao Shao's avatar
      Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() · 0d0e2d03
      Zhengchao Shao authored
      When l2cap_recv_frame() is invoked to receive data, and the cid is
      L2CAP_CID_A2MP, if the channel does not exist, it will create a channel.
      However, after a channel is created, the hold operation of the channel
      is not performed. In this case, the value of channel reference counting
      is 1. As a result, after hci_error_reset() is triggered, l2cap_conn_del()
      invokes the close hook function of A2MP to release the channel. Then
       l2cap_chan_unlock(chan) will trigger UAF issue.
      
      The process is as follows:
      Receive data:
      l2cap_data_channel()
          a2mp_channel_create()  --->channel ref is 2
          l2cap_chan_put()       --->channel ref is 1
      
      Triger event:
          hci_error_reset()
              hci_dev_do_close()
              ...
              l2cap_disconn_cfm()
                  l2cap_conn_del()
                      l2cap_chan_hold()    --->channel ref is 2
                      l2cap_chan_del()     --->channel ref is 1
                      a2mp_chan_close_cb() --->channel ref is 0, release channel
                      l2cap_chan_unlock()  --->UAF of channel
      
      The detailed Call Trace is as follows:
      BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0xa6/0x5e0
      Read of size 8 at addr ffff8880160664b8 by task kworker/u11:1/7593
      Workqueue: hci0 hci_error_reset
      Call Trace:
       <TASK>
       dump_stack_lvl+0xcd/0x134
       print_report.cold+0x2ba/0x719
       kasan_report+0xb1/0x1e0
       kasan_check_range+0x140/0x190
       __mutex_unlock_slowpath+0xa6/0x5e0
       l2cap_conn_del+0x404/0x7b0
       l2cap_disconn_cfm+0x8c/0xc0
       hci_conn_hash_flush+0x11f/0x260
       hci_dev_close_sync+0x5f5/0x11f0
       hci_dev_do_close+0x2d/0x70
       hci_error_reset+0x9e/0x140
       process_one_work+0x98a/0x1620
       worker_thread+0x665/0x1080
       kthread+0x2e4/0x3a0
       ret_from_fork+0x1f/0x30
       </TASK>
      
      Allocated by task 7593:
       kasan_save_stack+0x1e/0x40
       __kasan_kmalloc+0xa9/0xd0
       l2cap_chan_create+0x40/0x930
       amp_mgr_create+0x96/0x990
       a2mp_channel_create+0x7d/0x150
       l2cap_recv_frame+0x51b8/0x9a70
       l2cap_recv_acldata+0xaa3/0xc00
       hci_rx_work+0x702/0x1220
       process_one_work+0x98a/0x1620
       worker_thread+0x665/0x1080
       kthread+0x2e4/0x3a0
       ret_from_fork+0x1f/0x30
      
      Freed by task 7593:
       kasan_save_stack+0x1e/0x40
       kasan_set_track+0x21/0x30
       kasan_set_free_info+0x20/0x30
       ____kasan_slab_free+0x167/0x1c0
       slab_free_freelist_hook+0x89/0x1c0
       kfree+0xe2/0x580
       l2cap_chan_put+0x22a/0x2d0
       l2cap_conn_del+0x3fc/0x7b0
       l2cap_disconn_cfm+0x8c/0xc0
       hci_conn_hash_flush+0x11f/0x260
       hci_dev_close_sync+0x5f5/0x11f0
       hci_dev_do_close+0x2d/0x70
       hci_error_reset+0x9e/0x140
       process_one_work+0x98a/0x1620
       worker_thread+0x665/0x1080
       kthread+0x2e4/0x3a0
       ret_from_fork+0x1f/0x30
      
      Last potentially related work creation:
       kasan_save_stack+0x1e/0x40
       __kasan_record_aux_stack+0xbe/0xd0
       call_rcu+0x99/0x740
       netlink_release+0xe6a/0x1cf0
       __sock_release+0xcd/0x280
       sock_close+0x18/0x20
       __fput+0x27c/0xa90
       task_work_run+0xdd/0x1a0
       exit_to_user_mode_prepare+0x23c/0x250
       syscall_exit_to_user_mode+0x19/0x50
       do_syscall_64+0x42/0x80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Second to last potentially related work creation:
       kasan_save_stack+0x1e/0x40
       __kasan_record_aux_stack+0xbe/0xd0
       call_rcu+0x99/0x740
       netlink_release+0xe6a/0x1cf0
       __sock_release+0xcd/0x280
       sock_close+0x18/0x20
       __fput+0x27c/0xa90
       task_work_run+0xdd/0x1a0
       exit_to_user_mode_prepare+0x23c/0x250
       syscall_exit_to_user_mode+0x19/0x50
       do_syscall_64+0x42/0x80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Fixes: d0be8347 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      0d0e2d03