mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-27 12:57:53 +00:00
Code Issues Releases Wiki Activity
No description
1153050 commits 105 branches 5097 tags 5.6 GiB
C 97.6%
Assembly 1%
Shell 0.5%
Python 0.3%
Makefile 0.3%
Find a file
Yuxuan Hu 567c0411dc Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security 
[ Upstream commit 2535b848fa ]

During our fuzz testing of the connection and disconnection process at the
RFCOMM layer, we discovered this bug. By comparing the packets from a
normal connection and disconnection process with the testcase that
triggered a KASAN report. We analyzed the cause of this bug as follows:

1. In the packets captured during a normal connection, the host sends a
`Read Encryption Key Size` type of `HCI_CMD` packet
(Command Opcode: 0x1408) to the controller to inquire the length of
encryption key.After receiving this packet, the controller immediately
replies with a Command Completepacket (Event Code: 0x0e) to return the
Encryption Key Size.

2. In our fuzz test case, the timing of the controller's response to this
packet was delayed to an unexpected point: after the RFCOMM and L2CAP
layers had disconnected but before the HCI layer had disconnected.

3. After receiving the Encryption Key Size Response at the time described
in point 2, the host still called the rfcomm_check_security function.
However, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;`
had already been released, and when the function executed
`return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`,
specifically when accessing `conn->hcon`, a null-ptr-deref error occurred.

To fix this bug, check if `sk->sk_state` is BT_CLOSED before calling
rfcomm_recv_frame in rfcomm_process_rx.

Signed-off-by: Yuxuan Hu <20373622@buaa.edu.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-03-26 18:20:27 -04:00
arch arm64: dts: Fix dtc interrupt_provider warnings 2024-03-26 18:20:26 -04:00
block block: sed-opal: handle empty atoms when parsing response 2024-03-26 18:20:26 -04:00
certs
crypto crypto: api - Disallow identical driver names 2024-01-31 16:16:58 -08:00
Documentation x86/rfds: Mitigate Register File Data Sampling (RFDS) 2024-03-15 10:48:21 -04:00
drivers drm/amdgpu: Enable gpu reset for S3 abort cases on Raven series 2024-03-26 18:20:27 -04:00
fs btrfs: fix data race at btrfs_use_block_rsv() when accessing block reserve 2024-03-26 18:20:26 -04:00
include RDMA/mlx5: Fix fortify source warning while accessing Eth segment 2024-03-26 18:20:25 -04:00
init update workarounds for gcc "asm goto" issue 2024-02-23 09:12:28 +01:00
io_uring io_uring: drop any code related to SCM_RIGHTS 2024-03-26 18:20:22 -04:00
ipc
kernel getrusage: use sig->stats_lock rather than lock_task_sighand() 2024-03-15 10:48:22 -04:00
lib netlink: add nla be16/32 types to minlen array 2024-03-06 14:45:06 +00:00
LICENSES
mm readahead: avoid multiple marked readahead pages 2024-03-15 10:48:19 -04:00
net Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security 2024-03-26 18:20:27 -04:00
rust rust: allocator: Prevent mis-aligned allocation 2023-08-11 12:08:18 +02:00
samples work around gcc bugs with 'asm goto' with outputs 2024-02-23 09:12:28 +01:00
scripts gen_compile_commands: fix invalid escape sequence warning 2024-03-26 18:20:25 -04:00
security landlock: Fix asymmetric private inodes referring 2024-03-06 14:45:10 +00:00
sound ASoC: amd: yc: Fix non-functional mic on Lenovo 21J2 2024-03-26 18:20:27 -04:00
tools selftests: tls: use exact comparison in recv_partial 2024-03-26 18:20:24 -04:00
usr
virt kvm/vfio: ensure kvg instance stays around in kvm_vfio_group_add() 2023-09-13 09:42:46 +02:00
.clang-format
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore
.mailmap
.rustfmt.toml
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS trace: Relocate event helper files 2024-03-06 14:45:17 +00:00
Makefile Linux 6.1.82 2024-03-15 14:27:50 -04:00
README

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.