mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Bluetooth: hci_conn: Fix UAF Write in __hci_acl_create_connection_sync 

[ Upstream commit 5f641f03ab ]

This fixes the UAF on __hci_acl_create_connection_sync caused by
connection abortion, it uses the same logic as to LE_LINK which uses
hci_cmd_sync_cancel to prevent the callback to run if the connection is
abort prematurely.

Reported-by: syzbot+3f0a39be7a2035700868@syzkaller.appspotmail.com
Fixes: 45340097ce ("Bluetooth: hci_conn: Only do ACL connections sequentially")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Stable-dep-of: 2e7ed5f5e6 ("Bluetooth: hci_sync: Use advertised PHYs on hci_le_ext_create_conn_sync")
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Luiz Augusto von Dentz 2024-02-09 09:08:06 -05:00 committed by Greg Kroah-Hartman
parent d47904d8e7
commit 7bb27cbb4b
3 changed files with 13 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
include/net/bluetooth/hci_sync.h
View File

@ -139,5 +139,4 @@ int hci_le_big_terminate_sync(struct hci_dev *hdev, u8 handle);
int hci_le_pa_terminate_sync(struct hci_dev *hdev, u16 handle);
int hci_acl_create_connection_sync(struct hci_dev *hdev,
struct hci_conn *conn);
int hci_connect_acl_sync(struct hci_dev *hdev, struct hci_conn *conn);

3
net/bluetooth/hci_conn.c
View File

@ -1645,7 +1645,7 @@ struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
acl->auth_type = auth_type;
acl->conn_timeout = timeout;
err = hci_acl_create_connection_sync(hdev, acl);
err = hci_connect_acl_sync(hdev, acl);
if (err) {
hci_conn_del(acl);
return ERR_PTR(err);
@ -2942,6 +2942,7 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason)
*/
if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) {
switch (hci_skb_event(hdev->sent_cmd)) {
case HCI_EV_CONN_COMPLETE:
case HCI_EV_LE_CONN_COMPLETE:
case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
case HCI_EVT_LE_CIS_ESTABLISHED:

16
net/bluetooth/hci_sync.c
View File

@ -6552,13 +6552,18 @@ int hci_update_adv_data(struct hci_dev *hdev, u8 instance)
UINT_PTR(instance), NULL);
}
static int __hci_acl_create_connection_sync(struct hci_dev *hdev, void *data)
static int hci_acl_create_conn_sync(struct hci_dev *hdev, void *data)
{
struct hci_conn *conn = data;
struct hci_conn *conn;
u16 handle = PTR_UINT(data);
struct inquiry_entry *ie;
struct hci_cp_create_conn cp;
int err;
conn = hci_conn_hash_lookup_handle(hdev, handle);
if (!conn)
return 0;
/* Many controllers disallow HCI Create Connection while it is doing
* HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create
* Connection. This may cause the MGMT discovering state to become false
@ -6615,9 +6620,8 @@ static int __hci_acl_create_connection_sync(struct hci_dev *hdev, void *data)
return err;
}
int hci_acl_create_connection_sync(struct hci_dev *hdev,
struct hci_conn *conn)
int hci_connect_acl_sync(struct hci_dev *hdev, struct hci_conn *conn)
{
return hci_cmd_sync_queue(hdev, __hci_acl_create_connection_sync,
conn, NULL);
return hci_cmd_sync_queue(hdev, hci_acl_create_conn_sync,
UINT_PTR(conn->handle), NULL);
}