Received: by 2002:a05:7412:1e0b:b0:fc:a2b0:25d7 with SMTP id kr11csp1368710rdb; Fri, 16 Feb 2024 13:35:55 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCUXH2VcYdMIcUSHautZyOSB+qCNPftY9A1Mbfs0OP5MM/WQU0F+iiRCwv6Sg8sn2wYvjZGH2webJU+TuK7cKb/i0cSS1S131a+XqjpJvQ== X-Google-Smtp-Source: AGHT+IFeGar3sQ8PHLUPJB9gEuYtYTNNagqMrLmD5vgSImQ0nzozM5IwA924L7jd/+LnUoyCN6hD X-Received: by 2002:a17:90a:f0d2:b0:299:a67:c1fd with SMTP id fa18-20020a17090af0d200b002990a67c1fdmr4821504pjb.45.1708119355118; Fri, 16 Feb 2024 13:35:55 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708119355; cv=pass; d=google.com; s=arc-20160816; b=OEIU+NKUqMjeLELLTSYf+qy5gO0uyVrsmrS21U7SYnMa06+lkbvwY87IXviyt+5/aG 0KWxHPJO0cKvmbX0/chheXxQDk2hgT87vgOzh9EOw8cIcyJA105NMIhW/iG6ZzSeRmLN 7tAEO73iAtcRuv2lJkXPYbuN26Q8mEV0TCG2O1Y/JiqEfn/QWYZCbk1b3x3F8nyL+GG8 6PL9s3QGEBxOBWgtUALtXsbtGVEP76iLn2Zd1C4L8Q7do9epu67MyF8Sw0ra08980XfH lHjKc+rExygb425RqsoR+n9PYgUFUU80dQDXCIeV5C/RcbJqSex5z8lov7VO06VZ0Ye1 UeRA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:to:from :dkim-signature; bh=DbvPwMWXHxIoAutYoi9BmYEjc1HecrPVP1v//BsFqIo=; fh=4lGQI6056MBa4/oovMyIYaKLn+Wz/24RGvUivMmQP8E=; b=NhciQtq7VhyUkeDh/Jl8XINUrBjVzegSfUU5Kr9N/PmRXwcam21KWTZYEKb/6oBjNg 7AguJhx79ac9yVUvQUNk6NeVI6U5TSOr08adu2fK27fmvpOmXXMWjvCUXaxbS89uQCxY qAYXWZKleXRRYlEMV8/eV4PbAXHmOtv1NAjByVJrhdpoi78h+QQHLXJQ/km73Jg6Kk62 +jKmjCXbKboWxQy1C32hjIIewoB7lz4YV2Xh+TR2ciKV1gJdNWh1aqhW+KKagJSIuZIy lqflxs+dTxNBY9+F2eb7HBkWyOqZUDK3r+wpxqUr6LdVx5NBtus8vE7WdGAU/KaTPlhg 6xtg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=PHyHgsVJ; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-bluetooth+bounces-1946-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-1946-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id kk3-20020a17090b4a0300b00295e0f76b7csi503906pjb.172.2024.02.16.13.35.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Feb 2024 13:35:55 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-1946-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=PHyHgsVJ; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-bluetooth+bounces-1946-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-1946-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 27C2EB21B7C for ; Fri, 16 Feb 2024 20:50:20 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id AFAD8135A74; Fri, 16 Feb 2024 20:50:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PHyHgsVJ" X-Original-To: linux-bluetooth@vger.kernel.org Received: from mail-ua1-f41.google.com (mail-ua1-f41.google.com [209.85.222.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9E0AC2D603 for ; Fri, 16 Feb 2024 20:50:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.41 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708116613; cv=none; b=Jsxv6QwxL5e1qr4AglSKEfV+CZOgPPIJhptF8+wTDkWPMEFNKqCexzGH/E5gcMjC8Sh65DL2ZgcFj4hoRn+3OqNQENfoAJfJ2yEM4gCr8JhOMi1wG4hhV76R2DmZDed0KUsvKISSNmSZ6u9+urAcMNbWrql+hJDVeukU1fL3no8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708116613; c=relaxed/simple; bh=RfQt5AoJl3Zz+dm7YvMXhsNwC3cMYxKFFIjqjTrhhzY=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=tW4qDgUQjV1UqEfC+vxikOaGvdVnAj53srAGqSsyRU0wZsnpWzEHFyc8umUD16y2aXdwUAk4NRuRjsCApk6O+wmzl7WNoJsnMQ0oegPOnYWDea3jiRdFMDGW983IJY3bRAQrdDlmJmqSubIWMlW1GOfg0l6XDzIsJqLt/tPvpPE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PHyHgsVJ; arc=none smtp.client-ip=209.85.222.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ua1-f41.google.com with SMTP id a1e0cc1a2514c-7d2a67daa25so1359221241.0 for ; Fri, 16 Feb 2024 12:50:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708116609; x=1708721409; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=DbvPwMWXHxIoAutYoi9BmYEjc1HecrPVP1v//BsFqIo=; b=PHyHgsVJYi6qIAOb1bYDwuLf6mAL0JCHA/HC5fv+bE70tiyyoMBqNqaKczfbq55Ylq XydQ9Y0hN7rHFwk4W1nJjdSfTda6FdCGZzMt4MlZvElmIZ88tgcNrGETTKoDfhze85wX A0cXCvrYuNDcLIpqmBTUrgGQUKP+kwlVlJGUNnlBTrLbgRWk1KTE8MgYZCjI4r8yjD5D oZV8g/2sr7j4+CNaAMBA7T242yI8VAqkRQdqKtsdSiDZQ5pR6VIfTsSZpJgl5AdhQddz XcpVQc4QSfuM9eTF+1Nq3kZ55FbPn7pM1mOlEaeC3R6abl2ya5KB67gNR/yrJa8UG8+n igkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708116609; x=1708721409; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DbvPwMWXHxIoAutYoi9BmYEjc1HecrPVP1v//BsFqIo=; b=FbTYZC+rsfh56dKADq0KkcU1SkurFc4XQkxdWq3gaZVJ95yZaBrD182h1Fe5E60SMF Q1DODbkSHh+TiFIt3e/oKyq4L4BOX54VAJ4C9dggxZm3tFX5vC+UUJOiDSVXhubN83IE FDV08uZ/uYdkZENuORDngKINZ7qts/huVUanNwWk084fowvtnweLrEjuYPPZCOa5fi3D QK/46XJRMHG58Icq+rlgP6ymu5fVqTKDzpqu6rocY8zirQwiSAdXtEIaWQlUbL7SM4gr LanWh9e2mfSJrKxpAyTqKQHYFB1guEEDI+ncwGizSkO2eb2N7VbPQ3j/LW/es4Gpejb5 U+mw== X-Gm-Message-State: AOJu0YzKb1TeP+WYzmwYEPoSTjtsa1s9f2Paiu9x9Y8AsUTPSft5trk8 duwWd/XCIasJKssz6Ek9loG6y5mgKG4Jsep2wo5ZYh0SqaHp2xzT8a3pFegH X-Received: by 2002:a67:e94e:0:b0:46e:e845:3bdd with SMTP id p14-20020a67e94e000000b0046ee8453bddmr6210082vso.8.1708116608492; Fri, 16 Feb 2024 12:50:08 -0800 (PST) Received: from lvondent-mobl4.. (071-047-239-151.res.spectrum.com. [71.47.239.151]) by smtp.gmail.com with ESMTPSA id v16-20020a67ff90000000b0046d486b547fsm92274vsq.31.2024.02.16.12.50.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Feb 2024 12:50:07 -0800 (PST) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v1] Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync Date: Fri, 16 Feb 2024 15:50:05 -0500 Message-ID: <20240216205005.111967-1-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Luiz Augusto von Dentz Fixes the following trace where hci_acl_create_conn_sync attempts to call hci_abort_conn_sync after timeout: BUG: KASAN: slab-use-after-free in hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439) Read of size 2 at addr ffff88800322c032 by task kworker/u3:2/36 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: dump_stack_lvl (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:67 ./arch/x86/include/asm/irqflags.h:127 lib/dump_stack.c:107) print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) ? preempt_count_sub (kernel/sched/core.c:5889) ? __virt_addr_valid (./arch/x86/include/asm/preempt.h:103 (discriminator 1) ./include/linux/rcupdate.h:865 (discriminator 1) ./include/linux/mmzone.h:2026 (discriminator 1) arch/x86/mm/physaddr.c:65 (discriminator 1)) ? hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439) kasan_report (mm/kasan/report.c:603) ? hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439) hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439) ? __pfx_hci_abort_conn_sync (net/bluetooth/hci_sync.c:5433) hci_acl_create_conn_sync (net/bluetooth/hci_sync.c:6681) Fixes: 456561ba8e49 ("Bluetooth: hci_conn: Only do ACL connections sequentially") Signed-off-by: Luiz Augusto von Dentz --- net/bluetooth/hci_sync.c | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index b7d8e99e2a30..4a28aef2f01f 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -6670,15 +6670,10 @@ static int hci_acl_create_conn_sync(struct hci_dev *hdev, void *data) else cp.role_switch = 0x00; - err = __hci_cmd_sync_status_sk(hdev, HCI_OP_CREATE_CONN, - sizeof(cp), &cp, - HCI_EV_CONN_COMPLETE, - conn->conn_timeout, NULL); - - if (err == -ETIMEDOUT) - hci_abort_conn_sync(hdev, conn, HCI_ERROR_LOCAL_HOST_TERM); - - return err; + return __hci_cmd_sync_status_sk(hdev, HCI_OP_CREATE_CONN, + sizeof(cp), &cp, + HCI_EV_CONN_COMPLETE, + conn->conn_timeout, NULL); } int hci_connect_acl_sync(struct hci_dev *hdev, struct hci_conn *conn) -- 2.43.0