[Linux-kernel-mentees] How does syzkaller manage to create Bluetooth connections in a VM which doesn't have a Bluetooth device
dvyukov at google.com
Tue Sep 8 07:16:29 UTC 2020
,On Fri, Sep 4, 2020 at 4:20 PM Coiby Xu <coiby.xu at gmail.com> wrote:
> I have been trying to fix this issue  found by syzbot. I notice the
> extracted syzkaller reproducer could connect to another Bluetooth device
> successfully because l2cap_chan_connect successfully returns.
> // net/Bluetooth/l2cap_sock.c
> static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
> int alen, int flags)
> err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
> &la.l2_bdaddr, la.l2_bdaddr_type);
> However, if I use syz-prog2c to convert the syzkaller reproducer to a
> C reproducer, the C reproducer could never make a socket connect call
> successfully. So how does syzkaller manage to create Bluetooth connections
> for the sykaller reproducer? I've understood why this issue  occurs
> but haven't figured out how it occurs, i.e., what is the subtle race
> condition. So I want to write a C reproducer to experiment on it.
>  INFO: trying to register non-static key in l2cap_chan_del: https://syzkaller.appspot.com/bug?id=aca31fd1ef0cbf898bd37115e2c4c66fa37f4a20
syzkaller uses /dev/vhci to create a virtual bluetooth device.
There should be a flag for syz-prog2c to include that code into C
reproducers as well.
However note that syzbot did not provide a C reproducer which means
that the crash was somehow not reproducible with a C reproducer (that
includes vhci initialization code and all other relevant code), so
maybe you are seeing the same effect. It would be useful to figure out
why it's not reproducible with a C repro, maybe it's some bug in
syzkaller that can be fixed.
More information about the Linux-kernel-mentees