mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-27 21:03:32 +00:00
Code Issues Releases Wiki Activity
linux-stable/include/net/bluetooth
History
Ruihan Li b0167893c0 Bluetooth: Fix UAF in hci_conn_hash_flush again 
commit a2ac591cb4 upstream.

Commit 06149746e7 ("Bluetooth: hci_conn: Add support for linking
multiple hcon") reintroduced a previously fixed bug [1] ("KASAN:
slab-use-after-free Read in hci_conn_hash_flush"). This bug was
originally fixed by commit 5dc7d23e16 ("Bluetooth: hci_conn: Fix
possible UAF").

The hci_conn_unlink function was added to avoid invalidating the link
traversal caused by successive hci_conn_del operations releasing extra
connections. However, currently hci_conn_unlink itself also releases
extra connections, resulted in the reintroduced bug.

This patch follows a more robust solution for cleaning up all
connections, by repeatedly removing the first connection until there are
none left. This approach does not rely on the inner workings of
hci_conn_del and ensures proper cleanup of all connections.

Meanwhile, we need to make sure that hci_conn_del never fails. Indeed it
doesn't, as it now always returns zero. To make this a bit clearer, this
patch also changes its return type to void.

Reported-by: syzbot+8bb72f86fc823817bc5d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-bluetooth/000000000000aa920505f60d25ad@google.com/
Fixes: 06149746e7 ("Bluetooth: hci_conn: Add support for linking multiple hcon")
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
Co-developed-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-06-14 11:17:05 +02:00
..
bluetooth.h Bluetooth: Split bt_iso_qos into dedicated structures 2023-06-14 11:16:45 +02:00
hci.h Bluetooth: fix debugfs registration 2023-06-14 11:16:58 +02:00
hci_core.h Bluetooth: Fix UAF in hci_conn_hash_flush again 2023-06-14 11:17:05 +02:00
hci_mon.h Bluetooth: monitor: Add support for ISO packets 2020-01-15 22:28:51 +01:00
hci_sock.h Bluetooth: Fix HCIGETDEVINFO regression 2022-09-08 14:33:53 -07:00
hci_sync.h Bluetooth: convert hci_update_adv_data to hci_sync 2022-08-25 16:20:30 -07:00
iso.h Bluetooth: ISO: Add broadcast support 2022-07-22 17:14:13 -07:00
l2cap.h Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put 2022-07-26 13:35:24 -07:00
mgmt.h Bluetooth: MGMT: add CIS feature bits to controller information 2023-02-09 14:18:27 -08:00
rfcomm.h Bluetooth: Replace zero-length array with flexible-array member 2020-02-28 08:30:02 +01:00
sco.h Bluetooth: Add support for BT_PKT_STATUS CMSG data for SCO connections 2020-06-12 15:08:49 +02:00