oss-sec mailing list archives
Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect()
From: Jeroen Roovers <jer () xs4all nl>
Date: Sat, 30 Nov 2024 22:05:16 +0100
On Sat, 30 Nov 2024 16:32:17 +0800 tianshu qiu <jimuchutianshu97 () gmail com> wrote:
After careful analysis and debugging,i guess the commit: https://github.com/torvalds/linux/commit/e6720779ae612a14ac4ba7fe4fd5b27d900d932c has solved the UAF. The introduction of kref object ensures the dangling sco_conn object being freed in the function sco_conn_del when asynchronous hci event thread is invoked, which stops the subsequent exploit chain. I'm not sure if this commit is related to the email I sent, because i sent the first email to security () kernel org on November 14th, and the commit was on November 15th.
The commit you mention above was submitted on 1 October 2024:
commit e6720779ae612a14ac4ba7fe4fd5b27d900d932c
Author: Luiz Augusto von Dentz <luiz.von.dentz () intel com>
Date: Tue Oct 1 15:46:10 2024 -0400
Bluetooth: SCO: Use kref to track lifetime of sco_conn
This make use of kref to keep track of reference of sco_conn which
allows better tracking of its lifetime with usage of things like
kref_get_unless_zero in a similar way as used in l2cap_chan.
In addition to it remove call to sco_sock_set_timer on
__sco_sock_close since at that point it is useless to set a timer
as the sk will be freed there is nothing to be done in
sco_sock_timeout.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz () intel com>
Luiz' commit from 15 November 2024 is this one:
commit 0b882940665ca2849386ee459d4331aa2f8c4e7d
Author: Luiz Augusto von Dentz <luiz.von.dentz () intel com>
Date: Fri Nov 15 10:45:31 2024 -0500
Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync
This fixes the following crash:
==================================================================
BUG: KASAN: slab-use-after-free in set_powered_sync+0x3a/0xc0
net/bluetooth/mgmt.c:1353 Read of size 8 at addr ffff888029b4dd18
by task kworker/u9:0/54
[...]
Reported-by: syzbot+03d6270b6425df1605bf () syzkaller appspotmail com
Tested-by: syzbot+03d6270b6425df1605bf () syzkaller appspotmail com
Closes: https://syzkaller.appspot.com/bug?extid=03d6270b6425df1605bf
Fixes: 275f3f648702 ("Bluetooth: Fix not checking MGMT cmd pending
queue") Signed-off-by: Luiz Augusto von Dentz
<luiz.von.dentz () intel com>
Kind regards,
jer
Current thread:
- Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Solar Designer (Nov 28)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Luiz Augusto von Dentz (Nov 29)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() tianshu qiu (Nov 29)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Solar Designer (Nov 29)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() tianshu qiu (Nov 30)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Jeroen Roovers (Nov 30)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() tianshu qiu (Nov 30)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() tianshu qiu (Nov 29)
- Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() Luiz Augusto von Dentz (Nov 29)