Patch "Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync" has been added to the 6.8-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync

to the 6.8-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bluetooth-hci_sync-fix-uaf-in-hci_acl_create_conn_sync.patch
and it can be found in the queue-6.8 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 3d1c16e920c88eb5e583e1b4a10b95a5dc97ec22 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Date: Fri, 8 Mar 2024 11:02:48 -0500
Subject: Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync

From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>

commit 3d1c16e920c88eb5e583e1b4a10b95a5dc97ec22 upstream.

This fixes the following error caused by hci_conn being freed while
hcy_acl_create_conn_sync is pending:

==================================================================
BUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0xa7/0x2e0
Write of size 2 at addr ffff888002ae0036 by task kworker/u3:0/848

CPU: 0 PID: 848 Comm: kworker/u3:0 Not tainted 6.8.0-rc6-g2ab3e8d67fc1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38
04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x21/0x70
 print_report+0xce/0x620
 ? preempt_count_sub+0x13/0xc0
 ? __virt_addr_valid+0x15f/0x310
 ? hci_acl_create_conn_sync+0xa7/0x2e0
 kasan_report+0xdf/0x110
 ? hci_acl_create_conn_sync+0xa7/0x2e0
 hci_acl_create_conn_sync+0xa7/0x2e0
 ? __pfx_hci_acl_create_conn_sync+0x10/0x10
 ? __pfx_lock_release+0x10/0x10
 ? __pfx_hci_acl_create_conn_sync+0x10/0x10
 hci_cmd_sync_work+0x138/0x1c0
 process_one_work+0x405/0x800
 ? __pfx_lock_acquire+0x10/0x10
 ? __pfx_process_one_work+0x10/0x10
 worker_thread+0x37b/0x670
 ? __pfx_worker_thread+0x10/0x10
 kthread+0x19b/0x1e0
 ? kthread+0xfe/0x1e0
 ? __pfx_kthread+0x10/0x10
 ret_from_fork+0x2f/0x50
 ? __pfx_kthread+0x10/0x10
 ret_from_fork_asm+0x1a/0x30
 </TASK>

Allocated by task 847:
 kasan_save_stack+0x33/0x60
 kasan_save_track+0x14/0x30
 __kasan_kmalloc+0x8f/0xa0
 hci_conn_add+0xc6/0x970
 hci_connect_acl+0x309/0x410
 pair_device+0x4fb/0x710
 hci_sock_sendmsg+0x933/0xef0
 sock_write_iter+0x2c3/0x2d0
 do_iter_readv_writev+0x21a/0x2e0
 vfs_writev+0x21c/0x7b0
 do_writev+0x14a/0x180
 do_syscall_64+0x77/0x150
 entry_SYSCALL_64_after_hwframe+0x6c/0x74

Freed by task 847:
 kasan_save_stack+0x33/0x60
 kasan_save_track+0x14/0x30
 kasan_save_free_info+0x3b/0x60
 __kasan_slab_free+0xfa/0x150
 kfree+0xcb/0x250
 device_release+0x58/0xf0
 kobject_put+0xbb/0x160
 hci_conn_del+0x281/0x570
 hci_conn_hash_flush+0xfc/0x130
 hci_dev_close_sync+0x336/0x960
 hci_dev_close+0x10e/0x140
 hci_sock_ioctl+0x14a/0x5c0
 sock_ioctl+0x58a/0x5d0
 __x64_sys_ioctl+0x480/0xf60
 do_syscall_64+0x77/0x150
 entry_SYSCALL_64_after_hwframe+0x6c/0x74

Fixes: 45340097ce6e ("Bluetooth: hci_conn: Only do ACL connections sequentially")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 net/bluetooth/hci_sync.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -6687,6 +6687,9 @@ static int hci_acl_create_conn_sync(stru
 	struct hci_cp_create_conn cp;
 	int err;
 
+	if (!hci_conn_valid(hdev, conn))
+		return -ECANCELED;
+
 	/* Many controllers disallow HCI Create Connection while it is doing
 	 * HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create
 	 * Connection. This may cause the MGMT discovering state to become false


Patches currently in stable-queue which might be from luiz.von.dentz@xxxxxxxxx are

queue-6.8/bluetooth-mgmt-fix-failing-to-mgmt_op_add_uuid-mgmt_.patch
queue-6.8/bluetooth-remove-pending-acl-connection-attempts.patch
queue-6.8/bluetooth-hci_sync-use-advertised-phys-on-hci_le_ext.patch
queue-6.8/bluetooth-hci_conn-always-use-sk_timeo-as-conn_timeo.patch
queue-6.8/bluetooth-qca-fix-null-deref-on-non-serdev-suspend.patch
queue-6.8/bluetooth-qca-fix-null-deref-on-non-serdev-setup.patch
queue-6.8/bluetooth-btusb-fix-triggering-coredump-implementati.patch
queue-6.8/bluetooth-btusb-mediatek-fix-double-free-of-skb-in-c.patch
queue-6.8/bluetooth-hci_sync-fix-uaf-in-hci_acl_create_conn_sync.patch
queue-6.8/bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch
queue-6.8/bluetooth-hci_sync-fix-uaf-on-create_le_conn_complete.patch
queue-6.8/bluetooth-qca-set-power_ctrl_enabled-on-null-returne.patch
queue-6.8/bluetooth-hci_event-fix-sending-hci_op_read_enc_key_.patch
queue-6.8/bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch
queue-6.8/bluetooth-hci_sync-using-hci_cmd_sync_submit-when-re.patch
queue-6.8/bluetooth-hci_conn-only-do-acl-connections-sequentia.patch
queue-6.8/bluetooth-iso-reassemble-pa-data-for-bcast-sink.patch
queue-6.8/bluetooth-hci_conn-fix-uaf-write-in-__hci_acl_create.patch
queue-6.8/bluetooth-hci_sync-add-helper-functions-to-manipulat.patch
queue-6.8/bluetooth-hci_event-use-hci-error-defines-instead-of.patch
queue-6.8/bluetooth-hci_sync-fix-uaf-on-hci_abort_conn_sync.patch
queue-6.8/bluetooth-hci_sync-attempt-to-dequeue-connection-att.patch
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux