[PATCH] Bluetooth: bnep: Fix UAF read of dev->name

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] Bluetooth: bnep: Fix UAF read of dev->name
@ 2026-05-12 20:15 Jann Horn
  2026-05-12 21:23 ` bluez.test.bot
  2026-05-15 15:50 ` [PATCH] " patchwork-bot+bluetooth
  0 siblings, 2 replies; 3+ messages in thread
From: Jann Horn @ 2026-05-12 20:15 UTC (permalink / raw)
  To: Marcel Holtmann, Luiz Augusto von Dentz
  Cc: linux-bluetooth, linux-kernel, stable, Jann Horn

bnep_add_connection() needs to keep holding the bnep_session_sem while
reading dev->name (just like bnep_get_connlist() does); otherwise the
bnep_session() thread can concurrently free the net_device, which can for
example be triggered by a concurrent bnep_del_connection().

(This UAF is fairly uninteresting from a security perspective;
calling bnep_add_connection() requires passing a capable(CAP_NET_ADMIN)
check. It also requires completely tearing down a netdev during a fairly
tight race window.)

Cc: stable@vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
---
I have tested that this bug can lead to UAF by using KASAN and
introducing an artificial delay with mdelay().
---
 net/bluetooth/bnep/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index 853c8d7644b5..0de5df690bd0 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -645,8 +645,8 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock)
 		goto failed;
 	}
 
-	up_write(&bnep_session_sem);
 	strcpy(req->device, dev->name);
+	up_write(&bnep_session_sem);
 	return 0;
 
 failed:

---
base-commit: 1d5dcaa3bd65f2e8c9baa14a393d3a2dc5db7524
change-id: 20260512-bnep-add-uaf-f730caec3b13

--  
Jann Horn <jannh@google.com>


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* RE: Bluetooth: bnep: Fix UAF read of dev->name
  2026-05-12 20:15 [PATCH] Bluetooth: bnep: Fix UAF read of dev->name Jann Horn
@ 2026-05-12 21:23 ` bluez.test.bot
  2026-05-15 15:50 ` [PATCH] " patchwork-bot+bluetooth
  1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-05-12 21:23 UTC (permalink / raw)
  To: linux-bluetooth, jannh

[-- Attachment #1: Type: text/plain, Size: 1470 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1093767

---Test result---

Test Summary:
CheckPatch                    PASS      0.54 seconds
GitLint                       FAIL      0.21 seconds
SubjectPrefix                 PASS      0.07 seconds
BuildKernel                   PASS      26.75 seconds
CheckAllWarning               PASS      29.78 seconds
CheckSparse                   PASS      27.99 seconds
BuildKernel32                 PASS      26.10 seconds
TestRunnerSetup               PASS      579.08 seconds
TestRunner_bnep-tester        PASS      19.09 seconds
IncrementalBuild              PASS      24.48 seconds

Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
Bluetooth: bnep: Fix UAF read of dev->name

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
27: B2 Line has trailing whitespace: "--  "

https://github.com/bluez/bluetooth-next/pull/179

---
Regards,
Linux Bluetooth

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] Bluetooth: bnep: Fix UAF read of dev->name
  2026-05-12 20:15 [PATCH] Bluetooth: bnep: Fix UAF read of dev->name Jann Horn
  2026-05-12 21:23 ` bluez.test.bot
@ 2026-05-15 15:50 ` patchwork-bot+bluetooth
  1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2026-05-15 15:50 UTC (permalink / raw)
  To: Jann Horn; +Cc: marcel, luiz.dentz, linux-bluetooth, linux-kernel, stable

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Tue, 12 May 2026 22:15:39 +0200 you wrote:
> bnep_add_connection() needs to keep holding the bnep_session_sem while
> reading dev->name (just like bnep_get_connlist() does); otherwise the
> bnep_session() thread can concurrently free the net_device, which can for
> example be triggered by a concurrent bnep_del_connection().
> 
> (This UAF is fairly uninteresting from a security perspective;
> calling bnep_add_connection() requires passing a capable(CAP_NET_ADMIN)
> check. It also requires completely tearing down a netdev during a fairly
> tight race window.)
> 
> [...]

Here is the summary with links:
  - Bluetooth: bnep: Fix UAF read of dev->name
    https://git.kernel.org/bluetooth/bluetooth-next/c/ffeee619a13b

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-05-15 15:49 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-12 20:15 [PATCH] Bluetooth: bnep: Fix UAF read of dev->name Jann Horn
2026-05-12 21:23 ` bluez.test.bot
2026-05-15 15:50 ` [PATCH] " patchwork-bot+bluetooth

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.