Re: [PATCH v2] Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg

Hyunwoo Kim <v4bel@xxxxxxxxx> · Mon, 22 Apr 2024 19:49:49 -0400

Dear Martyn Welch,

I apologize for the long delay in responding.

On Thu, Feb 22, 2024 at 11:23:05AM +0000, Martyn Welch wrote:
> Hi Hyunwoo,
> 
> I've been looking into a few CVEs, the one of interest in this case is
> CVE-2024-21803.
> 
> There seems to be little publicly available information about this CVE,
> however the title of this patch and the affected kernel range suggest this
> may be a fix for this CVE.
This patch is for CVE-2023-51779. 

> 
> Would you be able to clarify whether this is a fix for CVE-2024-21803?
IMO, CVE-2024-21803 appears to be the same vulnerability as CVE-2023-51779. 
It appears to be a duplicate CVE that was registered due to an unknown reporter's mistake.

Best Regards,
Hyunwoo Kim
> 
> Thanks,
> 
> Martyn
> 
> On 09/12/2023 10:55, Hyunwoo Kim wrote:
> > This can cause a race with bt_sock_ioctl() because
> > bt_sock_recvmsg() gets the skb from sk->sk_receive_queue
> > and then frees it without holding lock_sock.
> > A use-after-free for a skb occurs with the following flow.
> > ```
> > bt_sock_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
> > bt_sock_ioctl() -> skb_peek()
> > ```
> > Add lock_sock to bt_sock_recvmsg() to fix this issue.
> > 
> > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > Signed-off-by: Hyunwoo Kim <v4bel@xxxxxxxxx>
> > ---
> > v1 -> v2: Remove duplicate release_sock()s
> > ---
> >   net/bluetooth/af_bluetooth.c | 7 ++++++-
> >   1 file changed, 6 insertions(+), 1 deletion(-)
> > 
> > diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
> > index 336a76165454..b93464ac3517 100644
> > --- a/net/bluetooth/af_bluetooth.c
> > +++ b/net/bluetooth/af_bluetooth.c
> > @@ -309,11 +309,14 @@ int bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
> >   	if (flags & MSG_OOB)
> >   		return -EOPNOTSUPP;
> > +	lock_sock(sk);
> > +
> >   	skb = skb_recv_datagram(sk, flags, &err);
> >   	if (!skb) {
> >   		if (sk->sk_shutdown & RCV_SHUTDOWN)
> > -			return 0;
> > +			err = 0;
> > +		release_sock(sk);
> >   		return err;
> >   	}
> > @@ -343,6 +346,8 @@ int bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
> >   	skb_free_datagram(sk, skb);
> > +	release_sock(sk);
> > +
> >   	if (flags & MSG_TRUNC)
> >   		copied = skblen;