Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp2816531ybc;
        Mon, 25 Nov 2019 04:45:57 -0800 (PST)
X-Google-Smtp-Source: APXvYqzWrayu1s/zAB/MXjoHo+MaS+7m0hawnWaok3o+jmNSxKWE58GX/IZqYK+2lq3jXsUWM/Qj
X-Received: by 2002:a05:6402:78b:: with SMTP id d11mr17846163edy.92.1574685957804;
        Mon, 25 Nov 2019 04:45:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1574685957; cv=none;
        d=google.com; s=arc-20160816;
        b=mpovjFHAk3UhT/Z8NbxssV2+399uKDx83jddYs3icbQfZBxNbpw3gKuTcB29bBf/Lr
         cUl2hLwSPyt8OjzuXtm7LnQ8oAobHTF0OQ4Hi43OZt8RxHvyLkx51yO8V2+fBsuPFwp5
         nXppg7U8Yc2kIkKMbQaEJk8IbTghrnknlO56MhW2PYUPTwuASkaYGvxmIAO3BdGWmhDz
         xYa676pCWOIxik+Q1+ixdM1jAmWu9Ii8fmIuG6Ws0ScbPMpbBqHEdA0Z0Gx3r8IwqkFd
         Z5zWDq3Aac0AiyFZjfpg0e+MZgB1f/MD3R9SZ8fi14U5UHH1rUeHI6p1sZ09VACGBHWI
         a4pw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=YC6GgXhvDqK3KuJ1zNfssrAFRF4tIpatp2t0FHXg91E=;
        b=CrSLKXQ7LZjSch5hyea0xtrOGTNmUpqFV/xYEkhVDfLZ7z4yOy9NwbW3/M5vIx/Rij
         /XyefrAoihCKEm7QCY9I+JpmkKTvxpCYrTfr38u/ugOYhts+LS9j91CBuj8iHmCmGyBb
         BgEjykQCZtSu/ia3Fi9+pcZhtM935o0pAr/S0Ue/8Co+rLvwh5f0m4rv5aJhtiVcNZ5r
         nUdORoHqUJwKZMFlHgi+6dCqmuJT8igT9aYUJbiesF77XNjzUXOMI4RmOmWN7aJTIKcv
         YXGZ94hlZPxOLGmQSmR1Crr48e6tj45ajiowNdlqNc+/TqvLLDHACF4FwRc9EwvLXcJM
         GyEA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=qTQ08Az4;
       spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f11si4346424ejr.10.2019.11.25.04.45.33;
        Mon, 25 Nov 2019 04:45:57 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=qTQ08Az4;
       spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727451AbfKYMlG (ORCPT <rfc822;nagarajgollar18@gmail.com>
        + 99 others); Mon, 25 Nov 2019 07:41:06 -0500
Received: from mail-wr1-f68.google.com ([209.85.221.68]:39573 "EHLO
        mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727401AbfKYMlF (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Mon, 25 Nov 2019 07:41:05 -0500
Received: by mail-wr1-f68.google.com with SMTP id y11so14724706wrt.6
        for <linux-bluetooth@vger.kernel.org>; Mon, 25 Nov 2019 04:41:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=YC6GgXhvDqK3KuJ1zNfssrAFRF4tIpatp2t0FHXg91E=;
        b=qTQ08Az4xt87bEfe0uAzQYoE0QE9JGN0wbbUE7N/GN/Q7MuQ0BzJHGZ+LyNEDgVSt3
         fymS1MMSQxnXmD9G3P8KMuTY7jw6X2kTsrn/tzBvmDgBfRLXhSlQvnD8imhXIHHT5byU
         +SSr+rFBhBF579//D0GKJY91FRm8J4aEXOjiHKmU8GEFq0edNBiHtTQmMa0NXG2jw1/p
         kUbsoVt++EaaYhw1/dinAQnQJHEIS3WiZCu+6ksCmwzMFcwn+0btDr8PLv0CJBKX8ntD
         6m8Y52jHvzCiPdeTs2NYzkYqYuXu4fOxTMwu7kY7EYD7bhvh/GyEe5jZ+7YIrKlixZEQ
         30cQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=YC6GgXhvDqK3KuJ1zNfssrAFRF4tIpatp2t0FHXg91E=;
        b=uCnr/WNZ7Kxo3W0dn5zZi+99XBrAL0ptIO+oMrv2cThGEVfVCAIfVclNjK7V5cG/E7
         LJCqwk2NNfuoj2Amc4PaoODJQNulUHALStJt7Z2lX0cR0w/4+f+wUHP4880/NweSb+Ze
         OPEWLnX7VL+IYYGeqqHghMu6+UJhExPznGNJkFZpc1WcWLWy0dLXwX7BcCWD9CaD0Nbu
         yZbobthSSNRS1tQgHXXqw/2/K6HQkCxmF/O5qHzmhZE/NoOjJkZhflppmJouc06zMC1r
         2RkwwI6+becKrPBwnTEnRzb/TEcNStvz6t0ax2EG11yZETSu3e/cOTKBhFKL3m2SBQYC
         PKDw==
X-Gm-Message-State: APjAAAVRbzXK/ObQan7uv66FflsEp7nnylkOPASfRjomCFOa2ViMhbdP
        Fun2gw+QU370zThDUfSEFaw6r3eQSHQqeA2R9Ot9Dg==
X-Received: by 2002:adf:e911:: with SMTP id f17mr32946834wrm.300.1574685663091;
 Mon, 25 Nov 2019 04:41:03 -0800 (PST)
MIME-Version: 1.0
References: <000000000000109f9605964acf6c@google.com> <20191101204244.14509-1-tomasbortoli@gmail.com>
 <E16896E5-B946-450F-BF42-04665D219EEA@holtmann.org>
In-Reply-To: <E16896E5-B946-450F-BF42-04665D219EEA@holtmann.org>
From:   Alexander Potapenko <glider@google.com>
Date:   Mon, 25 Nov 2019 13:40:51 +0100
Message-ID: <CAG_fn=Xqb1KoAvV==F5sODUYHDsxCxaz72n6qucdkR70XGCkig@mail.gmail.com>
Subject: Re: [PATCH] Fix invalid-free in bcsp_close()
To:     Marcel Holtmann <marcel@holtmann.org>,
        Tomas Bortoli <tomasbortoli@gmail.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc:     Johan Hedberg <johan.hedberg@gmail.com>,
        Bluez mailing list <linux-bluetooth@vger.kernel.org>,
        lkml <linux-kernel@vger.kernel.org>,
        syzkaller <syzkaller@googlegroups.com>,
        syzbot+a0d209a4676664613e76@syzkaller.appspotmail.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-bluetooth-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

Hi Tomas, Marcel, Greg,

On Mon, Nov 4, 2019 at 3:20 PM Marcel Holtmann <marcel@holtmann.org> wrote:
>
> Hi Tomas,
>
> > Syzbot reported an invalid-free that I introduced fixing a memleak.
> >
> > bcsp_recv() also frees bcsp->rx_skb but never nullifies its value.
> > Nullify bcsp->rx_skb every time it is freed.
> >
> > Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
> > Reported-by: syzbot+a0d209a4676664613e76@syzkaller.appspotmail.com
> > ---
> > drivers/bluetooth/hci_bcsp.c | 3 +++
> > 1 file changed, 3 insertions(+)
>
> patch has been applied to bluetooth-next tree.
I believe this bug requires stable tags, as it can potentially provide
an arbitrary write (via __skb_unlink) and is triggerable locally with
user privileges.
> Regards
>
> Marcel
>
> --
> You received this message because you are subscribed to the Google Groups=
 "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an=
 email to syzkaller+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgi=
d/syzkaller/E16896E5-B946-450F-BF42-04665D219EEA%40holtmann.org.



--=20
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-Stra=C3=9Fe, 33
80636 M=C3=BCnchen

Gesch=C3=A4ftsf=C3=BChrer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg