oss-sec mailing list archives
Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect()
From: tianshu qiu <jimuchutianshu97 () gmail com>
Date: Sat, 30 Nov 2024 16:32:17 +0800
The diagrams needs to be displayed correctly in full screen. The diagrams above are correct. The second diagram is the timeline for race. After careful analysis and debugging,i guess the commit: https://github.com/torvalds/linux/commit/e6720779ae612a14ac4ba7fe4fd5b27d900d932c has solved the UAF. The introduction of kref object ensures the dangling sco_conn object being freed in the function sco_conn_del when asynchronous hci event thread is invoked, which stops the subsequent exploit chain. I'm not sure if this commit is related to the email I sent, because i sent the first email to security () kernel org on November 14th, and the commit was on November 15th. On Sat, Nov 30, 2024 at 1:46 PM Solar Designer <solar () openwall com> wrote:
On Sat, Nov 30, 2024 at 01:18:18PM +0800, tianshu qiu wrote:The bug was introduced on Apr 11, 2023:https://github.com/torvalds/linux/commit/9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3The latest affected version is Linux-6.11.5I guess you actually mean the latest _known_ affected? So later versions may also be affected, but you haven't confirmed that? There were a couple of very wide diagrams in your message, which were not properly formatted in its text/plain part. The below is my attempt at resurrecting them from the text/html part (normally filtered out when relaying through this mailing list), but a very wide window is still needed to view them properly. First: ============================================================================== sco_sock_timeout Register Thread sco_sock_timeout Cancelled Thread # sco_sock_connect # sco_connect # sco_sock_set_timer #hci_rx_work # hci_event_packet # hci_event_func # hci_conn_complete_evt # hci_sco_setup # hci_connect_cfm # sco_connect_cfm # sco_conn_del # sco_sock_clear_timer # cancel_delayed_work ============================================================================== Second: ============================================================================================================================================================================= main thread thread 1 thread 2 # fd = socket(AF_BLUETOOTH, SOCK_SEQPACKET | SOCK_NONBLOCK , BTPROTO_SCO) # sco_sock_connect # sco_sock_connect # sco_connect # sco_connect # hci_connect_sco # hci_connect_sco # hci_connect_acl # hci_connect_acl # hci_acl_create_connection # hci_acl_create_connection # hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp); # hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp); # hci_conn_complete_evt (Asynchronous HCI events) # close(fd) # struct sock is freed # hci_conn_complete_evt (Asynchronous HCI events) # .......... # sco_conn_del Deference freed "struct sock". -----------------> # sock_hold(sk) ============================================================================================================================================================================= Alexander
Current thread:
- Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Solar Designer (Nov 28)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Luiz Augusto von Dentz (Nov 29)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() tianshu qiu (Nov 29)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Solar Designer (Nov 29)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() tianshu qiu (Nov 30)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Jeroen Roovers (Nov 30)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() tianshu qiu (Nov 30)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() tianshu qiu (Nov 29)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Luiz Augusto von Dentz (Nov 29)