linux/net/bluetooth
Luiz Augusto von Dentz 3d1c16e920 Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync
This fixes the following error caused by hci_conn being freed while
hcy_acl_create_conn_sync is pending:

==================================================================
BUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0xa7/0x2e0
Write of size 2 at addr ffff888002ae0036 by task kworker/u3:0/848

CPU: 0 PID: 848 Comm: kworker/u3:0 Not tainted 6.8.0-rc6-g2ab3e8d67fc1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38
04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x21/0x70
 print_report+0xce/0x620
 ? preempt_count_sub+0x13/0xc0
 ? __virt_addr_valid+0x15f/0x310
 ? hci_acl_create_conn_sync+0xa7/0x2e0
 kasan_report+0xdf/0x110
 ? hci_acl_create_conn_sync+0xa7/0x2e0
 hci_acl_create_conn_sync+0xa7/0x2e0
 ? __pfx_hci_acl_create_conn_sync+0x10/0x10
 ? __pfx_lock_release+0x10/0x10
 ? __pfx_hci_acl_create_conn_sync+0x10/0x10
 hci_cmd_sync_work+0x138/0x1c0
 process_one_work+0x405/0x800
 ? __pfx_lock_acquire+0x10/0x10
 ? __pfx_process_one_work+0x10/0x10
 worker_thread+0x37b/0x670
 ? __pfx_worker_thread+0x10/0x10
 kthread+0x19b/0x1e0
 ? kthread+0xfe/0x1e0
 ? __pfx_kthread+0x10/0x10
 ret_from_fork+0x2f/0x50
 ? __pfx_kthread+0x10/0x10
 ret_from_fork_asm+0x1a/0x30
 </TASK>

Allocated by task 847:
 kasan_save_stack+0x33/0x60
 kasan_save_track+0x14/0x30
 __kasan_kmalloc+0x8f/0xa0
 hci_conn_add+0xc6/0x970
 hci_connect_acl+0x309/0x410
 pair_device+0x4fb/0x710
 hci_sock_sendmsg+0x933/0xef0
 sock_write_iter+0x2c3/0x2d0
 do_iter_readv_writev+0x21a/0x2e0
 vfs_writev+0x21c/0x7b0
 do_writev+0x14a/0x180
 do_syscall_64+0x77/0x150
 entry_SYSCALL_64_after_hwframe+0x6c/0x74

Freed by task 847:
 kasan_save_stack+0x33/0x60
 kasan_save_track+0x14/0x30
 kasan_save_free_info+0x3b/0x60
 __kasan_slab_free+0xfa/0x150
 kfree+0xcb/0x250
 device_release+0x58/0xf0
 kobject_put+0xbb/0x160
 hci_conn_del+0x281/0x570
 hci_conn_hash_flush+0xfc/0x130
 hci_dev_close_sync+0x336/0x960
 hci_dev_close+0x10e/0x140
 hci_sock_ioctl+0x14a/0x5c0
 sock_ioctl+0x58a/0x5d0
 __x64_sys_ioctl+0x480/0xf60
 do_syscall_64+0x77/0x150
 entry_SYSCALL_64_after_hwframe+0x6c/0x74

Fixes: 45340097ce ("Bluetooth: hci_conn: Only do ACL connections sequentially")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2024-03-08 11:06:14 -05:00
..
bnep Bluetooth: bnep: Fix out-of-bound access 2024-03-06 17:26:24 -05:00
cmtp
hidp
rfcomm Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security 2024-02-28 09:42:26 -05:00
6lowpan.c Bluetooth: constify the struct device_type usage 2024-03-06 17:24:07 -05:00
af_bluetooth.c Bluetooth: af_bluetooth: Fix deadlock 2024-03-06 17:26:25 -05:00
aosp.c
aosp.h
coredump.c
ecdh_helper.c
ecdh_helper.h
eir.c Bluetooth: Fix eir name length 2024-03-08 10:22:17 -05:00
eir.h
hci_codec.c
hci_codec.h
hci_conn.c Bluetooth: hci_sync: Fix overwriting request callback 2024-03-06 17:26:20 -05:00
hci_core.c Bluetooth: fix use-after-free in accessing skb after sending it 2024-03-06 17:26:58 -05:00
hci_debugfs.c Bluetooth: Fix atomicity violation in {min,max}_key_size_set 2023-12-22 13:00:36 -05:00
hci_debugfs.h
hci_event.c Bluetooth: Add new quirk for broken read key length on ATS2851 2024-03-06 17:27:14 -05:00
hci_request.c Bluetooth: hci_core: Cancel request on command timeout 2024-03-06 17:22:38 -05:00
hci_request.h
hci_sock.c Bluetooth: Remove usage of the deprecated ida_simple_xx() API 2024-03-06 17:22:38 -05:00
hci_sync.c Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync 2024-03-08 11:06:14 -05:00
hci_sysfs.c
iso.c Bluetooth: ISO: Align broadcast sync_timeout with connection timeout 2024-03-07 11:58:17 -05:00
Kconfig Bluetooth: Remove BT_HS 2024-03-06 17:22:39 -05:00
l2cap_core.c Bluetooth: hci_conn: Always use sk_timeo as conn_timeout 2024-03-06 17:22:41 -05:00
l2cap_sock.c Bluetooth: hci_conn: Always use sk_timeo as conn_timeout 2024-03-06 17:22:41 -05:00
leds.c
leds.h
lib.c
Makefile Bluetooth: Remove BT_HS 2024-03-06 17:22:39 -05:00
mgmt_config.c
mgmt_config.h
mgmt_util.c
mgmt_util.h
mgmt.c Bluetooth: Fix eir name length 2024-03-08 10:22:17 -05:00
msft.c Bluetooth: msft: Fix memory leak 2024-03-06 17:26:23 -05:00
msft.h
sco.c Bluetooth: hci_conn: Always use sk_timeo as conn_timeout 2024-03-06 17:22:41 -05:00
selftest.c
selftest.h
smp.c
smp.h