[PATCH 6.1] Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync

[PATCH 6.1] Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync

[Sumanth Gavini]

commit 5af1f84ed13a416297ab9ced7537f4d5ae7f329a upstream.

Connections may be cleanup while waiting for the commands to complete so
this attempts to check if the connection handle remains valid in case of
errors that would lead to call hci_conn_failed:

BUG: KASAN: slab-use-after-free in hci_conn_failed+0x1f/0x160
Read of size 8 at addr ffff888001376958 by task kworker/u3:0/52

CPU: 0 PID: 52 Comm: kworker/u3:0 Not tainted
6.5.0-rc1-00527-g2dfe76d58d3a #5615
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.16.2-1.fc38 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x1d/0x70
 print_report+0xce/0x620
 ? __virt_addr_valid+0xd4/0x150
 ? hci_conn_failed+0x1f/0x160
 kasan_report+0xd1/0x100
 ? hci_conn_failed+0x1f/0x160
 hci_conn_failed+0x1f/0x160
 hci_abort_conn_sync+0x237/0x360

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sumanth Gavini <sumanth.gavini@yahoo.com>
---
 net/bluetooth/hci_sync.c | 43 +++++++++++++++++++++++++++-------------
 1 file changed, 29 insertions(+), 14 deletions(-)

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 3f905ee4338f..acff47da799a 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -5525,31 +5525,46 @@ static int hci_reject_conn_sync(struct hci_dev *hdev, struct hci_conn *conn,
 
 int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
 {
-	int err;
+	int err = 0;
+	u16 handle = conn->handle;
 
 	switch (conn->state) {
 	case BT_CONNECTED:
 	case BT_CONFIG:
-		return hci_disconnect_sync(hdev, conn, reason);
+		err = hci_disconnect_sync(hdev, conn, reason);
+		break;
 	case BT_CONNECT:
 		err = hci_connect_cancel_sync(hdev, conn);
-		/* Cleanup hci_conn object if it cannot be cancelled as it
-		 * likelly means the controller and host stack are out of sync.
-		 */
-		if (err) {
-			hci_dev_lock(hdev);
-			hci_conn_failed(conn, err);
-			hci_dev_unlock(hdev);
-		}
-		return err;
+		break;
 	case BT_CONNECT2:
-		return hci_reject_conn_sync(hdev, conn, reason);
+		err = hci_reject_conn_sync(hdev, conn, reason);
+		break;
 	default:
 		conn->state = BT_CLOSED;
-		break;
+		return 0;
 	}
 
-	return 0;
+	/* Cleanup hci_conn object if it cannot be cancelled as it
+	 * likelly means the controller and host stack are out of sync
+	 * or in case of LE it was still scanning so it can be cleanup
+	 * safely.
+	 */
+	if (err) {
+		struct hci_conn *c;
+
+		/* Check if the connection hasn't been cleanup while waiting
+		 * commands to complete.
+		 */
+		c = hci_conn_hash_lookup_handle(hdev, handle);
+		if (!c || c != conn)
+			return 0;
+
+		hci_dev_lock(hdev);
+		hci_conn_failed(conn, err);
+		hci_dev_unlock(hdev);
+	}
+
+	return err;
 }
 
 static int hci_disconnect_all_sync(struct hci_dev *hdev, u8 reason)
-- 
2.43.0

Re: [PATCH 6.1] Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected.
No action required from the submitter.

The upstream commit SHA1 provided is correct: 5af1f84ed13a416297ab9ced7537f4d5ae7f329a

WARNING: Author mismatch between patch and upstream commit:
Backport author: Sumanth Gavini <sumanth.gavini@yahoo.com>
Commit author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Status in newer kernel trees:
6.15.y | Present (exact SHA1)
6.12.y | Present (exact SHA1)
6.6.y | Present (exact SHA1)

Note: The patch differs from the upstream commit:
---
1:  5af1f84ed13a ! 1:  347ef4c82277 Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync
    @@
      ## Metadata ##
    -Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    +Author: Sumanth Gavini <sumanth.gavini@yahoo.com>
     
      ## Commit message ##
         Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync
     
    +    commit 5af1f84ed13a416297ab9ced7537f4d5ae7f329a upstream.
    +
         Connections may be cleanup while waiting for the commands to complete so
         this attempts to check if the connection handle remains valid in case of
         errors that would lead to call hci_conn_failed:
    @@ Commit message
          hci_abort_conn_sync+0x237/0x360
     
         Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    +    Signed-off-by: Sumanth Gavini <sumanth.gavini@yahoo.com>
     
      ## net/bluetooth/hci_sync.c ##
     @@ net/bluetooth/hci_sync.c: static int hci_reject_conn_sync(struct hci_dev *hdev, struct hci_conn *conn,
    @@ net/bluetooth/hci_sync.c: static int hci_reject_conn_sync(struct hci_dev *hdev,
     +		err = hci_disconnect_sync(hdev, conn, reason);
     +		break;
      	case BT_CONNECT:
    - 		err = hci_connect_cancel_sync(hdev, conn, reason);
    + 		err = hci_connect_cancel_sync(hdev, conn);
     -		/* Cleanup hci_conn object if it cannot be cancelled as it
    --		 * likelly means the controller and host stack are out of sync
    --		 * or in case of LE it was still scanning so it can be cleanup
    --		 * safely.
    +-		 * likelly means the controller and host stack are out of sync.
     -		 */
     -		if (err) {
     -			hci_dev_lock(hdev);
    @@ net/bluetooth/hci_sync.c: static int hci_reject_conn_sync(struct hci_dev *hdev,
     -		return hci_reject_conn_sync(hdev, conn, reason);
     +		err = hci_reject_conn_sync(hdev, conn, reason);
     +		break;
    - 	case BT_OPEN:
    - 	case BT_BOUND:
    - 		hci_dev_lock(hdev);
    -@@ net/bluetooth/hci_sync.c: int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
    - 		return 0;
      	default:
      		conn->state = BT_CLOSED;
     -		break;

---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| origin/linux-6.1.y        | Success     | Success    |