Received: by 2002:a05:7412:798b:b0:fc:a2b0:25d7 with SMTP id fb11csp273445rdb; Thu, 22 Feb 2024 03:23:15 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVp8sIIEPronQrv7pwyS9MFTZmEUYwkX1PhpMYgrXlDjSzH6yKRhrHaIZruSG7gek7IuYhZOaRLAfd1XpwmlOvvNtq2Vr9uSHfN77MSWw== X-Google-Smtp-Source: AGHT+IFC561OCBu1Adu1+66K+I8VazIyYj6q1qn+F9peJrnG6hcBsyuwbCEYhTI68h1vXnSVYoHV X-Received: by 2002:a05:6a21:2d8a:b0:1a0:96cd:39f3 with SMTP id ty10-20020a056a212d8a00b001a096cd39f3mr13710495pzb.0.1708600995007; Thu, 22 Feb 2024 03:23:15 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708600994; cv=pass; d=google.com; s=arc-20160816; b=LIUU54BodLYaJjf2cPZxjUqueI6ZAxU2GFqQjAdfDftJDUACxExbbOVhfJXTUo10GU dTA0qomiayX+hS4Cj9bH3+8FxlJLmVtaA5ttBgE8OKo4GX/7flGkxwo5wMFmiZmU6jBS AzEjem3rE8IWiAS+a88xxNAcUiUXL0mGU/gdKBS5M5vu0DxZMeGMp65a+SkatMTNDKqv B0Ivf1ig1HUPa6VL3tfUnX3uEu8Q/v1gfBUyQFzLTeuhY0ptnMcZqZUbUNHe8IrJTtjL Ey56YaylFziSV4pf4Fz21nt9sJlZVLKCKSdAYGV3HJlgQn/k0Z3T5SLYE0NYu2ptRUmW Nxbw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=D3j256mF14rgfxmdMiA5jUOPmJsIO1o32DAYAcPMlGk=; fh=as3VK1p6ksuemCbgUltAgFm7V5ApNha3VvDzaqlIbSM=; b=C5hOoxqPCLxnsqx51dmD7ikgncCOoM0KXI2NvV3Y6KYI7VDryqS5EVtSfDdWIJwOP/ 3EUWc/t2z8+TGllJW6G9wQjp+ScPAi1BrVGubkQtjmz6MceZJ0K7rqMBaJiwtF3dLi/a FRG2cc+Za51DWUr/TInkdCMXSwCYDR/+FKkZPfjDKRaWEa6V/bmmCgyGUZVRwKZvFv5r bfnE+UWDyfqBUtH+wENrcY3/QP2R64JVZNS3GY0wUrUXvx84sy71P3U2m5N21OTl5+vZ HrXyS3cT6ESsJr2i1S6X0sx8pvWriXEN9UyqPD0koHrcL+JpUBnap7NUFwGSjLjRGS78 loQg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=rrHZKqXW; arc=pass (i=1 spf=pass spfdomain=collabora.com dkim=pass dkdomain=collabora.com dmarc=pass fromdomain=collabora.com); spf=pass (google.com: domain of linux-bluetooth+bounces-2069-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-2069-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id i3-20020a17090acf8300b0028e79d4c104si3397556pju.131.2024.02.22.03.23.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Feb 2024 03:23:14 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-2069-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=rrHZKqXW; arc=pass (i=1 spf=pass spfdomain=collabora.com dkim=pass dkdomain=collabora.com dmarc=pass fromdomain=collabora.com); spf=pass (google.com: domain of linux-bluetooth+bounces-2069-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-2069-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 32BBA283BF2 for ; Thu, 22 Feb 2024 11:23:14 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A2FC740BFE; Thu, 22 Feb 2024 11:23:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=collabora.com header.i=@collabora.com header.b="rrHZKqXW" X-Original-To: linux-bluetooth@vger.kernel.org Received: from madrid.collaboradmins.com (madrid.collaboradmins.com [46.235.227.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 727513770E for ; Thu, 22 Feb 2024 11:23:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=46.235.227.194 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708600990; cv=none; b=iqM4I6zqqNeHV52+R4IuFBvXh8+3LK/IxFUUnwudxvpw1ARuFZ8/eBbNhQMwAsLhEvwSr58UeaowDDWQIGUNYcI0PURemOUBfT9KJ1hF7lL9HE9doD96KD3pMg+0j9n1jFxU23NpxIo9HNNJSG9GwiglxlvCLKwpqME5ith1vKU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708600990; c=relaxed/simple; bh=qM/Ys9cy+p0n5wtTF6yBdXp4QGvlQ64E0lXwBT7/XpQ=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=DJwLs/8Ho/L08+JmwOBWS5/noheiSnOVnLqfDQaBrtim4FgeikDr5KRXOnfZtyaAobFJtV0mVMLP5NDK7qgqGm6N0PllZRsIsp61aa1Uq3dq6aryuoXzmoX8joub8Efc3kdevY44jRJmsA+kcMtylRcInVWNutGdLz8ffmP50x4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=collabora.com; spf=pass smtp.mailfrom=collabora.com; dkim=pass (2048-bit key) header.d=collabora.com header.i=@collabora.com header.b=rrHZKqXW; arc=none smtp.client-ip=46.235.227.194 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=collabora.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=collabora.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com; s=mail; t=1708600986; bh=qM/Ys9cy+p0n5wtTF6yBdXp4QGvlQ64E0lXwBT7/XpQ=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=rrHZKqXWKu8HKzzCLd9/chpOS+cfWnep32ujt+aUSTjILmjX5w2v0afTBPAl4IdT6 xV+0HBHUoxxDXcbXWszfWNw2Atl9UvgG74Z2bYceBFRm9RTgms1mMJtApj5AlCUfGh KDEXmC1Av86QbWEztLyD82W2GxPrScUlLAXECnkSKRto56z5IOEOWN0LtVo+JJ1Z+/ n0Xe2dCatGZmZevn1IkUPONYEah/I8ZvbkgOS8Q4H1wOEjFoaPGIuyz5Q06Rj3sQE7 BNkZb9qAltwWhI2xzcJNcc4sxBzV4wW1F5XHAnugnA5qEubUPNOdoFZ4Ll57DKiOFt SF2yuwJkF0sPw== Received: from [100.117.211.133] (ec2-34-240-57-77.eu-west-1.compute.amazonaws.com [34.240.57.77]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: martyn) by madrid.collaboradmins.com (Postfix) with ESMTPSA id 4EFC73782082; Thu, 22 Feb 2024 11:23:06 +0000 (UTC) Message-ID: <8dad5b42-a843-4935-a31e-91a2eadf0c72@collabora.com> Date: Thu, 22 Feb 2024 11:23:05 +0000 Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v2] Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg Content-Language: en-US To: Hyunwoo Kim , marcel@holtmann.org, luiz.dentz@gmail.com Cc: imv4bel@gmail.com, johan.hedberg@gmail.com, linux-bluetooth@vger.kernel.org References: <20231209105518.GA408904@v4bel-B760M-AORUS-ELITE-AX> From: Martyn Welch In-Reply-To: <20231209105518.GA408904@v4bel-B760M-AORUS-ELITE-AX> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hi Hyunwoo, I've been looking into a few CVEs, the one of interest in this case is CVE-2024-21803. There seems to be little publicly available information about this CVE, however the title of this patch and the affected kernel range suggest this may be a fix for this CVE. Would you be able to clarify whether this is a fix for CVE-2024-21803? Thanks, Martyn On 09/12/2023 10:55, Hyunwoo Kim wrote: > This can cause a race with bt_sock_ioctl() because > bt_sock_recvmsg() gets the skb from sk->sk_receive_queue > and then frees it without holding lock_sock. > A use-after-free for a skb occurs with the following flow. > ``` > bt_sock_recvmsg() -> skb_recv_datagram() -> skb_free_datagram() > bt_sock_ioctl() -> skb_peek() > ``` > Add lock_sock to bt_sock_recvmsg() to fix this issue. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Hyunwoo Kim > --- > v1 -> v2: Remove duplicate release_sock()s > --- > net/bluetooth/af_bluetooth.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c > index 336a76165454..b93464ac3517 100644 > --- a/net/bluetooth/af_bluetooth.c > +++ b/net/bluetooth/af_bluetooth.c > @@ -309,11 +309,14 @@ int bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, > if (flags & MSG_OOB) > return -EOPNOTSUPP; > > + lock_sock(sk); > + > skb = skb_recv_datagram(sk, flags, &err); > if (!skb) { > if (sk->sk_shutdown & RCV_SHUTDOWN) > - return 0; > + err = 0; > > + release_sock(sk); > return err; > } > > @@ -343,6 +346,8 @@ int bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, > > skb_free_datagram(sk, skb); > > + release_sock(sk); > + > if (flags & MSG_TRUNC) > copied = skblen; >