* [PATCH] Bluetooth: Fix use-after-free read in hci_cmd_timeout()
@ 2022-11-05 19:04 Shigeru Yoshida
2022-11-05 19:40 ` bluez.test.bot
2022-11-07 18:49 ` [PATCH] " Luiz Augusto von Dentz
0 siblings, 2 replies; 3+ messages in thread
From: Shigeru Yoshida @ 2022-11-05 19:04 UTC (permalink / raw)
To: marcel, johan.hedberg, luiz.dentz
Cc: linux-bluetooth, linux-kernel, syzkaller-bugs, Shigeru Yoshida,
syzbot+19a9f729f05272857487
syzbot reported use-after-free in hci_cmd_timeout() [1]. The scenario
for the issue is as follows:
Task Workqueue
----------------------------------------------------------------------
hci_dev_open_sync
...
hci_dev_init_sync <- failed
...
if (hdev->sent_cmd)
kfree_skb(hdev->sent_cmd)
hci_cmd_timeout
...
if (hdev->sent_cmd)
sent = hdev->sent_cmd->data
^^ UAF occurred
hdev->sent_cmd = NULL
When hci_dev_init_sync() failed, hci_dev_open_sync() frees
hdev->send_cmd and set it to NULL. However, hci_cmd_timeout() can run
just after freeing hdev->sent_cmd because hdev->cmd_timer is not
canceled.
This patch fixes the issue by canceling hdev->cmd_timer before freeing
hdev->sent_cmd.
Link: https://syzkaller.appspot.com/bug?id=cb23ebfc8f304f510fb717cb783fe8b496c7ffb1 [1]
Reported-by: syzbot+19a9f729f05272857487@syzkaller.appspotmail.com
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
---
net/bluetooth/hci_sync.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 76c3107c9f91..a011065220e4 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -4696,6 +4696,7 @@ int hci_dev_open_sync(struct hci_dev *hdev)
hdev->flush(hdev);
if (hdev->sent_cmd) {
+ cancel_delayed_work_sync(&hdev->cmd_timer);
kfree_skb(hdev->sent_cmd);
hdev->sent_cmd = NULL;
}
--
2.38.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* RE: Bluetooth: Fix use-after-free read in hci_cmd_timeout()
2022-11-05 19:04 [PATCH] Bluetooth: Fix use-after-free read in hci_cmd_timeout() Shigeru Yoshida
@ 2022-11-05 19:40 ` bluez.test.bot
2022-11-07 18:49 ` [PATCH] " Luiz Augusto von Dentz
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2022-11-05 19:40 UTC (permalink / raw)
To: linux-bluetooth, syoshida
[-- Attachment #1: Type: text/plain, Size: 551 bytes --]
This is an automated email and please do not reply to this email.
Dear Submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.
----- Output -----
error: patch failed: net/bluetooth/hci_sync.c:4696
error: net/bluetooth/hci_sync.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch
Please resolve the issue and submit the patches again.
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Bluetooth: Fix use-after-free read in hci_cmd_timeout()
2022-11-05 19:04 [PATCH] Bluetooth: Fix use-after-free read in hci_cmd_timeout() Shigeru Yoshida
2022-11-05 19:40 ` bluez.test.bot
@ 2022-11-07 18:49 ` Luiz Augusto von Dentz
1 sibling, 0 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2022-11-07 18:49 UTC (permalink / raw)
To: Shigeru Yoshida
Cc: marcel, johan.hedberg, linux-bluetooth, linux-kernel,
syzkaller-bugs, syzbot+19a9f729f05272857487
Hi Shigeru,
On Sat, Nov 5, 2022 at 12:04 PM Shigeru Yoshida <syoshida@redhat.com> wrote:
>
> syzbot reported use-after-free in hci_cmd_timeout() [1]. The scenario
> for the issue is as follows:
>
> Task Workqueue
> ----------------------------------------------------------------------
> hci_dev_open_sync
> ...
> hci_dev_init_sync <- failed
> ...
> if (hdev->sent_cmd)
> kfree_skb(hdev->sent_cmd)
> hci_cmd_timeout
> ...
> if (hdev->sent_cmd)
> sent = hdev->sent_cmd->data
> ^^ UAF occurred
> hdev->sent_cmd = NULL
>
> When hci_dev_init_sync() failed, hci_dev_open_sync() frees
> hdev->send_cmd and set it to NULL. However, hci_cmd_timeout() can run
> just after freeing hdev->sent_cmd because hdev->cmd_timer is not
> canceled.
>
> This patch fixes the issue by canceling hdev->cmd_timer before freeing
> hdev->sent_cmd.
>
> Link: https://syzkaller.appspot.com/bug?id=cb23ebfc8f304f510fb717cb783fe8b496c7ffb1 [1]
> Reported-by: syzbot+19a9f729f05272857487@syzkaller.appspotmail.com
> Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
> ---
> net/bluetooth/hci_sync.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> index 76c3107c9f91..a011065220e4 100644
> --- a/net/bluetooth/hci_sync.c
> +++ b/net/bluetooth/hci_sync.c
> @@ -4696,6 +4696,7 @@ int hci_dev_open_sync(struct hci_dev *hdev)
> hdev->flush(hdev);
>
> if (hdev->sent_cmd) {
> + cancel_delayed_work_sync(&hdev->cmd_timer);
> kfree_skb(hdev->sent_cmd);
> hdev->sent_cmd = NULL;
> }
> --
> 2.38.1
A similar fix has already been applied:
https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=64b5c4c8e79c131fe8f135bab5e5dfaa245c5776
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-11-07 18:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-11-05 19:04 [PATCH] Bluetooth: Fix use-after-free read in hci_cmd_timeout() Shigeru Yoshida
2022-11-05 19:40 ` bluez.test.bot
2022-11-07 18:49 ` [PATCH] " Luiz Augusto von Dentz
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.