Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20241130220516.2debb17b@del.fritz.box>
Date: Sat, 30 Nov 2024 22:05:16 +0100
From: Jeroen Roovers <jer@...all.nl>
To: tianshu qiu <jimuchutianshu97@...il.com>
Cc: oss-security@...ts.openwall.com, Solar Designer <solar@...nwall.com>,
 Luiz Augusto von Dentz <luiz.dentz@...il.com>, Marcel Holtmann
 <marcel@...tmann.org>, Johan Hedberg <johan.hedberg@...il.com>
Subject: Re: Linux: Race can lead to UAF in
 net/bluetooth/sco.c: sco_sock_connect()

On Sat, 30 Nov 2024 16:32:17 +0800
tianshu qiu <jimuchutianshu97@...il.com> wrote:

> After careful analysis and debugging,i guess the commit:
> https://github.com/torvalds/linux/commit/e6720779ae612a14ac4ba7fe4fd5b27d900d932c
>  has solved the UAF.
> The introduction of kref object ensures the dangling sco_conn object
> being freed in the function sco_conn_del when asynchronous hci event
> thread is invoked, which stops
> the subsequent exploit chain.
> 
> I'm not sure if this commit is related to the email I sent, because i
> sent the first email to security@...nel.org on  November 14th, and
> the commit was on  November 15th.

The commit you mention above was submitted on 1 October 2024:


commit e6720779ae612a14ac4ba7fe4fd5b27d900d932c
Author: Luiz Augusto von Dentz <luiz.von.dentz@...el.com>
Date:   Tue Oct 1 15:46:10 2024 -0400

    Bluetooth: SCO: Use kref to track lifetime of sco_conn

    This make use of kref to keep track of reference of sco_conn which
    allows better tracking of its lifetime with usage of things like
    kref_get_unless_zero in a similar way as used in l2cap_chan.

    In addition to it remove call to sco_sock_set_timer on
    __sco_sock_close since at that point it is useless to set a timer
    as the sk will be freed there is nothing to be done in
    sco_sock_timeout.

    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@...el.com>


Luiz' commit from 15 November 2024 is this one:


commit 0b882940665ca2849386ee459d4331aa2f8c4e7d
Author: Luiz Augusto von Dentz <luiz.von.dentz@...el.com>
Date:   Fri Nov 15 10:45:31 2024 -0500

    Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync

    This fixes the following crash:

    ==================================================================
    BUG: KASAN: slab-use-after-free in set_powered_sync+0x3a/0xc0
    net/bluetooth/mgmt.c:1353 Read of size 8 at addr ffff888029b4dd18
    by task kworker/u9:0/54

    [...]

    Reported-by: syzbot+03d6270b6425df1605bf@...kaller.appspotmail.com
    Tested-by: syzbot+03d6270b6425df1605bf@...kaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=03d6270b6425df1605bf
    Fixes: 275f3f648702 ("Bluetooth: Fix not checking MGMT cmd pending
    queue") Signed-off-by: Luiz Augusto von Dentz
    <luiz.von.dentz@...el.com>



Kind regards,
     jer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.