Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAH_BBqdjufLB46c7MniJMUpc23i9aR4ScCMNV7-mb5_zd6w_og@mail.gmail.com>
Date: Sun, 1 Dec 2024 08:34:54 +0800
From: tianshu qiu <jimuchutianshu97@...il.com>
To: Jeroen Roovers <jer@...all.nl>
Cc: oss-security@...ts.openwall.com, Solar Designer <solar@...nwall.com>, 
	Luiz Augusto von Dentz <luiz.dentz@...il.com>, Marcel Holtmann <marcel@...tmann.org>, 
	Johan Hedberg <johan.hedberg@...il.com>
Subject: Re: Linux: Race can lead to UAF in net/bluetooth/sco.c:
 sco_sock_connect()

Thanks for your explanation.

On Sun, Dec 1, 2024 at 5:05 AM Jeroen Roovers <jer@...all.nl> wrote:

> On Sat, 30 Nov 2024 16:32:17 +0800
> tianshu qiu <jimuchutianshu97@...il.com> wrote:
>
> > After careful analysis and debugging,i guess the commit:
> >
> https://github.com/torvalds/linux/commit/e6720779ae612a14ac4ba7fe4fd5b27d900d932c
> >  has solved the UAF.
> > The introduction of kref object ensures the dangling sco_conn object
> > being freed in the function sco_conn_del when asynchronous hci event
> > thread is invoked, which stops
> > the subsequent exploit chain.
> >
> > I'm not sure if this commit is related to the email I sent, because i
> > sent the first email to security@...nel.org on  November 14th, and
> > the commit was on  November 15th.
>
> The commit you mention above was submitted on 1 October 2024:
>
>
> commit e6720779ae612a14ac4ba7fe4fd5b27d900d932c
> Author: Luiz Augusto von Dentz <luiz.von.dentz@...el.com>
> Date:   Tue Oct 1 15:46:10 2024 -0400
>
>     Bluetooth: SCO: Use kref to track lifetime of sco_conn
>
>     This make use of kref to keep track of reference of sco_conn which
>     allows better tracking of its lifetime with usage of things like
>     kref_get_unless_zero in a similar way as used in l2cap_chan.
>
>     In addition to it remove call to sco_sock_set_timer on
>     __sco_sock_close since at that point it is useless to set a timer
>     as the sk will be freed there is nothing to be done in
>     sco_sock_timeout.
>
>     Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@...el.com>
>
>
> Luiz' commit from 15 November 2024 is this one:
>
>
> commit 0b882940665ca2849386ee459d4331aa2f8c4e7d
> Author: Luiz Augusto von Dentz <luiz.von.dentz@...el.com>
> Date:   Fri Nov 15 10:45:31 2024 -0500
>
>     Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync
>
>     This fixes the following crash:
>
>     ==================================================================
>     BUG: KASAN: slab-use-after-free in set_powered_sync+0x3a/0xc0
>     net/bluetooth/mgmt.c:1353 Read of size 8 at addr ffff888029b4dd18
>     by task kworker/u9:0/54
>
>     [...]
>
>     Reported-by: syzbot+03d6270b6425df1605bf@...kaller.appspotmail.com
>     Tested-by: syzbot+03d6270b6425df1605bf@...kaller.appspotmail.com
>     Closes: https://syzkaller.appspot.com/bug?extid=03d6270b6425df1605bf
>     Fixes: 275f3f648702 ("Bluetooth: Fix not checking MGMT cmd pending
>     queue") Signed-off-by: Luiz Augusto von Dentz
>     <luiz.von.dentz@...el.com>
>
>
>
> Kind regards,
>      jer
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.