"general protection fault in l2cap_sock_getsockopt" and "general protection fault in sco_sock_getsockopt" may share the same root cause

11 views
Skip to first unread message

慕冬亮

unread,
Jan 10, 2021, 10:36:03 PM1/10/21
to da...@davemloft.net, johan....@gmail.com, ku...@kernel.org, linux-b...@vger.kernel.org, linux-kernel, mar...@holtmann.org, net...@vger.kernel.org, eric.d...@gmail.com, syzkall...@googlegroups.com, Dmitry Vyukov
Dear developers,

I find that "general protection fault in l2cap_sock_getsockopt" and "general protection fault in sco_sock_getsockopt" may be duplicated bugs from the same root cause.

By comparing the PoC similarity after own minimization, we find they only have one argument difference. This argument (0x3 or 0x5) decides the socket type and the following getsockopt function.

% general protection fault in sco_sock_getsockopt
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
getsockopt$bt_BT_RCVMTU(r0, 0x112, 0xe, 0x0, &(0x7f0000000140))
% general protection fault in l2cap_sock_getsockopt
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
getsockopt$bt_BT_RCVMTU(r0, 0x112, 0xe, 0x0, &(0x7f0000000140))

By the way, we find that two different kernel developers are handling and developing patches for them. And after this grouping, I think it could save the manual efforts of kernel developers.

--
My best regards to you.

     No System Is Safe!
     Dongliang Mu
Reply all
Reply to author
Forward
0 new messages