From: patchwork-bot+bluetooth@kernel.org
To: Sungwoo Kim <iam@sung-woo.kim>
Cc: daveti@purdue.edu, marcel@holtmann.org, johan.hedberg@gmail.com,
luiz.dentz@gmail.com, linux-bluetooth@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Bluetooth: HCI: fix slab-use-after-free in cmd_sync_work
Date: Thu, 25 Apr 2024 16:30:33 +0000 [thread overview]
Message-ID: <171406263301.12899.1823558479194537202.git-patchwork-notify@kernel.org> (raw)
In-Reply-To: <20240425041128.3093970-1-iam@sung-woo.kim>
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Thu, 25 Apr 2024 00:11:28 -0400 you wrote:
> Hello, could you review the UAF bug and its fix?
> The stack trace is at the bottom.
>
> mgmt sync cmd could be used after freed in this scenario:
>
> set_local_name() ... cmd is allocated, set_name_complete() is
> queued in cmd_sync_work.
> hci_error_reset() ... hci device reset.
> hci_dev_close_sync() ... close hdev, at this point, cmd is freed.
> set_name_complete() ... callback from cmd_sync_work. cmd->param causes UAF.
>
> [...]
Here is the summary with links:
- Bluetooth: HCI: fix slab-use-after-free in cmd_sync_work
https://git.kernel.org/bluetooth/bluetooth-next/c/37dd04e4d594
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
next prev parent reply other threads:[~2024-04-25 16:30 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20240426111046eucas1p12a7cbceb3f235edccec0f16645396fdf@eucas1p1.samsung.com>
2024-04-25 4:11 ` [PATCH] Bluetooth: HCI: fix slab-use-after-free in cmd_sync_work Sungwoo Kim
2024-04-25 16:30 ` patchwork-bot+bluetooth [this message]
2024-04-26 11:10 ` Marek Szyprowski
2024-04-30 17:00 ` Luiz Augusto von Dentz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=171406263301.12899.1823558479194537202.git-patchwork-notify@kernel.org \
--to=patchwork-bot+bluetooth@kernel.org \
--cc=daveti@purdue.edu \
--cc=iam@sung-woo.kim \
--cc=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.