From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753587AbcCRQ7H (ORCPT <rfc822;w@1wt.eu>);
	Fri, 18 Mar 2016 12:59:07 -0400
Received: from mail-wm0-f48.google.com ([74.125.82.48]:36119 "EHLO
	mail-wm0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751910AbcCRQ7F (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 18 Mar 2016 12:59:05 -0400
Subject: Re: bluetooth: use-after-free in vhci_send_frame
To: Marcel Holtmann <marcel@holtmann.org>, Dmitry Vyukov <dvyukov@google.com>
References: <CACT4Y+beTdUrUdwb1Drri=eFx5Cb9b4bT7uoyBMXHvxjvDxsVw@mail.gmail.com>
 <CACT4Y+YcwPCUYmc96Pq5ReZes4O64HdMqSGzmZJjvah7bqjTMQ@mail.gmail.com>
 <56DDAC0F.7060500@suse.cz>
 <8FB90CCF-CB45-44C9-BF62-CFEE2B2B7CC5@holtmann.org>
 <CACT4Y+Y25MbZ9nvfTuW9imKV9B9-cpfZGK8orXuVwE6d_f4zQA@mail.gmail.com>
 <054BECDB-E7C1-4241-B298-FED0CEE6F3B2@holtmann.org>
Cc: "Gustavo F. Padovan" <gustavo@padovan.org>,
        Johan Hedberg <johan.hedberg@gmail.com>,
        linux-bluetooth <linux-bluetooth@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        syzkaller <syzkaller@googlegroups.com>,
        Kostya Serebryany <kcc@google.com>,
        Alexander Potapenko <glider@google.com>,
        Sasha Levin <sasha.levin@oracle.com>
From: Jiri Slaby <jslaby@suse.cz>
Message-ID: <56EC33D5.40008@suse.cz>
Date: Fri, 18 Mar 2016 17:59:01 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.7.0
MIME-Version: 1.0
In-Reply-To: <054BECDB-E7C1-4241-B298-FED0CEE6F3B2@holtmann.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 03/08/2016, 07:32 PM, Marcel Holtmann wrote:
> that means very little to me actually. So is the real issue caused by opening /dev/vhci or is that theoretical one via some internal kernel compile time feature.

Hi, what do you think about this one?

--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -196,6 +196,11 @@ static inline ssize_t vhci_get_user(stru

                cancel_delayed_work_sync(&data->open_timeout);

+               if (data->hdev) {
+                       kfree_skb(skb);
+                       return -EBADFD;
+               }
+
                opcode = *((__u8 *) skb->data);
                skb_pull(skb, 1);


open_timeout could be in progress (raced with us) and _sync cancel
waited for vhci_create_device to actually finish and create the device
the second time.

thanks,
-- 
js
suse labs