Patch "Bluetooth: fix use-after-free in accessing skb after sending it" has been added to the 6.1-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    Bluetooth: fix use-after-free in accessing skb after sending it

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bluetooth-fix-use-after-free-in-accessing-skb-after-.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 6d97dbde11f38d6e12844d1a02b47b8146b73004
Author: Pauli Virtanen <pav@xxxxxx>
Date:   Sat Mar 2 19:06:23 2024 +0200

    Bluetooth: fix use-after-free in accessing skb after sending it
    
    [ Upstream commit 947ec0d002dce8577b655793dcc6fc78d67b7cb6 ]
    
    hci_send_cmd_sync first sends skb and then tries to clone it.  However,
    the driver may have already freed the skb at that point.
    
    Fix by cloning the sent_cmd cloned just above, instead of the original.
    
    Log:
    ================================================================
    BUG: KASAN: slab-use-after-free in __copy_skb_header+0x1a/0x240
    ...
    Call Trace: ..
     __skb_clone+0x59/0x2c0
     hci_cmd_work+0x3b3/0x3d0 [bluetooth]
     process_one_work+0x459/0x900
    ...
    Allocated by task 129: ...
     __alloc_skb+0x1ae/0x220
     __hci_cmd_sync_sk+0x44c/0x7a0 [bluetooth]
     __hci_cmd_sync_status+0x24/0xb0 [bluetooth]
     set_cig_params_sync+0x778/0x7d0 [bluetooth]
    ...
    Freed by task 0: ...
     kmem_cache_free+0x157/0x3c0
     __usb_hcd_giveback_urb+0x11e/0x1e0
     usb_giveback_urb_bh+0x1ad/0x2a0
     tasklet_action_common.isra.0+0x259/0x4a0
     __do_softirq+0x15b/0x5a7
    ================================================================
    
    Fixes: 2615fd9a7c25 ("Bluetooth: hci_sync: Fix overwriting request callback")
    Signed-off-by: Pauli Virtanen <pav@xxxxxx>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 88e9d7e0865a2..70f24dc75b596 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -4176,7 +4176,7 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
 	if (hci_req_status_pend(hdev) &&
 	    !hci_dev_test_and_set_flag(hdev, HCI_CMD_PENDING)) {
 		kfree_skb(hdev->req_skb);
-		hdev->req_skb = skb_clone(skb, GFP_KERNEL);
+		hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
 	}
 
 	atomic_dec(&hdev->cmd_cnt);




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux