mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-03 23:58:05 +00:00
Code Issues Releases Wiki Activity
linux-stable/include/net/bluetooth
History
Ruihan Li a2ac591cb4 Bluetooth: Fix UAF in hci_conn_hash_flush again 
Commit 06149746e7 ("Bluetooth: hci_conn: Add support for linking
multiple hcon") reintroduced a previously fixed bug [1] ("KASAN:
slab-use-after-free Read in hci_conn_hash_flush"). This bug was
originally fixed by commit 5dc7d23e16 ("Bluetooth: hci_conn: Fix
possible UAF").

The hci_conn_unlink function was added to avoid invalidating the link
traversal caused by successive hci_conn_del operations releasing extra
connections. However, currently hci_conn_unlink itself also releases
extra connections, resulted in the reintroduced bug.

This patch follows a more robust solution for cleaning up all
connections, by repeatedly removing the first connection until there are
none left. This approach does not rely on the inner workings of
hci_conn_del and ensures proper cleanup of all connections.

Meanwhile, we need to make sure that hci_conn_del never fails. Indeed it
doesn't, as it now always returns zero. To make this a bit clearer, this
patch also changes its return type to void.

Reported-by: syzbot+8bb72f86fc823817bc5d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-bluetooth/000000000000aa920505f60d25ad@google.com/
Fixes: 06149746e7 ("Bluetooth: hci_conn: Add support for linking multiple hcon")
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
Co-developed-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2023-05-19 15:37:45 -07:00
..
bluetooth.h Bluetooth: Split bt_iso_qos into dedicated structures 2023-04-23 21:59:17 -07:00
coredump.h Bluetooth: Add support for hci devcoredump 2023-04-23 21:57:59 -07:00
hci.h Bluetooth: Add new quirk for broken set random RPA timeout for ATS2851 2023-04-23 22:04:26 -07:00
hci_core.h Bluetooth: Fix UAF in hci_conn_hash_flush again 2023-05-19 15:37:45 -07:00
hci_mon.h Bluetooth: monitor: Add support for ISO packets 2020-01-15 22:28:51 +01:00
hci_sock.h Bluetooth: Fix HCIGETDEVINFO regression 2022-09-08 14:33:53 -07:00
hci_sync.h Bluetooth: hci_sync: Only allow hci_cmd_sync_queue if running 2023-04-23 22:07:43 -07:00
iso.h Bluetooth: ISO: Add broadcast support 2022-07-22 17:14:13 -07:00
l2cap.h Bluetooth: L2CAP: Delay identity address updates 2023-04-23 21:48:44 -07:00
mgmt.h Bluetooth: MGMT: Use BIT macro when defining bitfields 2023-04-23 21:41:22 -07:00
rfcomm.h Bluetooth: Replace zero-length array with flexible-array member 2020-02-28 08:30:02 +01:00
sco.h Bluetooth: Add support for BT_PKT_STATUS CMSG data for SCO connections 2020-06-12 15:08:49 +02:00