* [PATCH] Bluetooth: bnep: Fix UAF read of dev->name
@ 2026-05-12 20:15 Jann Horn
2026-05-12 21:23 ` bluez.test.bot
0 siblings, 1 reply; 2+ messages in thread
From: Jann Horn @ 2026-05-12 20:15 UTC (permalink / raw)
To: Marcel Holtmann, Luiz Augusto von Dentz
Cc: linux-bluetooth, linux-kernel, stable, Jann Horn
bnep_add_connection() needs to keep holding the bnep_session_sem while
reading dev->name (just like bnep_get_connlist() does); otherwise the
bnep_session() thread can concurrently free the net_device, which can for
example be triggered by a concurrent bnep_del_connection().
(This UAF is fairly uninteresting from a security perspective;
calling bnep_add_connection() requires passing a capable(CAP_NET_ADMIN)
check. It also requires completely tearing down a netdev during a fairly
tight race window.)
Cc: stable@vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
---
I have tested that this bug can lead to UAF by using KASAN and
introducing an artificial delay with mdelay().
---
net/bluetooth/bnep/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index 853c8d7644b5..0de5df690bd0 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -645,8 +645,8 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock)
goto failed;
}
- up_write(&bnep_session_sem);
strcpy(req->device, dev->name);
+ up_write(&bnep_session_sem);
return 0;
failed:
---
base-commit: 1d5dcaa3bd65f2e8c9baa14a393d3a2dc5db7524
change-id: 20260512-bnep-add-uaf-f730caec3b13
--
Jann Horn <jannh@google.com>
^ permalink raw reply related [flat|nested] 2+ messages in thread
* RE: Bluetooth: bnep: Fix UAF read of dev->name
2026-05-12 20:15 [PATCH] Bluetooth: bnep: Fix UAF read of dev->name Jann Horn
@ 2026-05-12 21:23 ` bluez.test.bot
0 siblings, 0 replies; 2+ messages in thread
From: bluez.test.bot @ 2026-05-12 21:23 UTC (permalink / raw)
To: linux-bluetooth, jannh
[-- Attachment #1: Type: text/plain, Size: 1470 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1093767
---Test result---
Test Summary:
CheckPatch PASS 0.54 seconds
GitLint FAIL 0.21 seconds
SubjectPrefix PASS 0.07 seconds
BuildKernel PASS 26.75 seconds
CheckAllWarning PASS 29.78 seconds
CheckSparse PASS 27.99 seconds
BuildKernel32 PASS 26.10 seconds
TestRunnerSetup PASS 579.08 seconds
TestRunner_bnep-tester PASS 19.09 seconds
IncrementalBuild PASS 24.48 seconds
Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
Bluetooth: bnep: Fix UAF read of dev->name
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
27: B2 Line has trailing whitespace: "-- "
https://github.com/bluez/bluetooth-next/pull/179
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-12 21:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-12 20:15 [PATCH] Bluetooth: bnep: Fix UAF read of dev->name Jann Horn
2026-05-12 21:23 ` bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox