oss-sec mailing list archives
Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect()
From: Solar Designer <solar () openwall com>
Date: Sat, 30 Nov 2024 06:46:34 +0100
On Sat, Nov 30, 2024 at 01:18:18PM +0800, tianshu qiu wrote:
The bug was introduced on Apr 11, 2023: https://github.com/torvalds/linux/commit/9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3 The latest affected version is Linux-6.11.5
I guess you actually mean the latest _known_ affected? So later
versions may also be affected, but you haven't confirmed that?
There were a couple of very wide diagrams in your message, which were
not properly formatted in its text/plain part. The below is my attempt
at resurrecting them from the text/html part (normally filtered out when
relaying through this mailing list), but a very wide window is still
needed to view them properly.
First:
==============================================================================
sco_sock_timeout Register Thread sco_sock_timeout Cancelled Thread
# sco_sock_connect
# sco_connect
# sco_sock_set_timer #hci_rx_work
# hci_event_packet
# hci_event_func
#
hci_conn_complete_evt
# hci_sco_setup
#
hci_connect_cfm
#
sco_connect_cfm
#
sco_conn_del
#
sco_sock_clear_timer
#
cancel_delayed_work
==============================================================================
Second:
=============================================================================================================================================================================
main thread thread 1
thread 2
# fd = socket(AF_BLUETOOTH,
SOCK_SEQPACKET | SOCK_NONBLOCK ,
BTPROTO_SCO)
# sco_sock_connect
#
sco_sock_connect
# sco_connect
#
sco_connect
#
hci_connect_sco #
hci_connect_sco
#
hci_connect_acl #
hci_connect_acl
#
hci_acl_create_connection #
hci_acl_create_connection
#
hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp); # hci_send_cmd(hdev,
HCI_OP_CREATE_CONN, sizeof(cp), &cp);
#
hci_conn_complete_evt (Asynchronous HCI events)
# close(fd)
# struct sock is freed
# hci_conn_complete_evt (Asynchronous HCI events)
# ..........
# sco_conn_del
Deference freed "struct sock". -----------------> #
sock_hold(sk)
=============================================================================================================================================================================
Alexander
Current thread:
- Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Solar Designer (Nov 28)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Luiz Augusto von Dentz (Nov 29)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() tianshu qiu (Nov 29)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Solar Designer (Nov 29)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() tianshu qiu (Nov 30)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Jeroen Roovers (Nov 30)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() tianshu qiu (Nov 30)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() tianshu qiu (Nov 29)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Luiz Augusto von Dentz (Nov 29)