Thanks for your explanation. On Sun, Dec 1, 2024 at 5:05 AM Jeroen Roovers <j...@xs4all.nl> wrote:
> On Sat, 30 Nov 2024 16:32:17 +0800 > tianshu qiu <jimuchutiansh...@gmail.com> wrote: > > > After careful analysis and debugging,i guess the commit: > > > https://github.com/torvalds/linux/commit/e6720779ae612a14ac4ba7fe4fd5b27d900d932c > > has solved the UAF. > > The introduction of kref object ensures the dangling sco_conn object > > being freed in the function sco_conn_del when asynchronous hci event > > thread is invoked, which stops > > the subsequent exploit chain. > > > > I'm not sure if this commit is related to the email I sent, because i > > sent the first email to secur...@kernel.org on November 14th, and > > the commit was on November 15th. > > The commit you mention above was submitted on 1 October 2024: > > > commit e6720779ae612a14ac4ba7fe4fd5b27d900d932c > Author: Luiz Augusto von Dentz <luiz.von.de...@intel.com> > Date: Tue Oct 1 15:46:10 2024 -0400 > > Bluetooth: SCO: Use kref to track lifetime of sco_conn > > This make use of kref to keep track of reference of sco_conn which > allows better tracking of its lifetime with usage of things like > kref_get_unless_zero in a similar way as used in l2cap_chan. > > In addition to it remove call to sco_sock_set_timer on > __sco_sock_close since at that point it is useless to set a timer > as the sk will be freed there is nothing to be done in > sco_sock_timeout. > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.de...@intel.com> > > > Luiz' commit from 15 November 2024 is this one: > > > commit 0b882940665ca2849386ee459d4331aa2f8c4e7d > Author: Luiz Augusto von Dentz <luiz.von.de...@intel.com> > Date: Fri Nov 15 10:45:31 2024 -0500 > > Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync > > This fixes the following crash: > > ================================================================== > BUG: KASAN: slab-use-after-free in set_powered_sync+0x3a/0xc0 > net/bluetooth/mgmt.c:1353 Read of size 8 at addr ffff888029b4dd18 > by task kworker/u9:0/54 > > [...] > > Reported-by: syzbot+03d6270b6425df160...@syzkaller.appspotmail.com > Tested-by: syzbot+03d6270b6425df160...@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=03d6270b6425df1605bf > Fixes: 275f3f648702 ("Bluetooth: Fix not checking MGMT cmd pending > queue") Signed-off-by: Luiz Augusto von Dentz > <luiz.von.de...@intel.com> > > > > Kind regards, > jer >
