Skip to content

Commit 19695c6

Browse files
PlaidCatPlaidCat
committed
Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd
jira LE-3262 cve CVE-2025-21969 Rebuild_History Non-Buildable kernel-5.14.0-570.22.1.el9_6 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit b4f82f9 After the hci sync command releases l2cap_conn, the hci receive data work queue references the released l2cap_conn when sending to the upper layer. Add hci dev lock to the hci receive data work queue to synchronize the two. [1] BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 Read of size 8 at addr ffff8880271a4000 by task kworker/u9:2/5837 CPU: 0 UID: 0 PID: 5837 Comm: kworker/u9:2 Not tainted 6.13.0-rc5-syzkaller-00163-gab75170520d4 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: hci1 hci_rx_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 l2cap_build_cmd net/bluetooth/l2cap_core.c:2964 [inline] l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5502 [inline] l2cap_sig_channel net/bluetooth/l2cap_core.c:5538 [inline] l2cap_recv_frame+0x221f/0x10db0 net/bluetooth/l2cap_core.c:6817 hci_acldata_packet net/bluetooth/hci_core.c:3797 [inline] hci_rx_work+0x508/0xdb0 net/bluetooth/hci_core.c:4040 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 5837: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] l2cap_conn_add+0xa9/0x8e0 net/bluetooth/l2cap_core.c:6860 l2cap_connect_cfm+0x115/0x1090 net/bluetooth/l2cap_core.c:7239 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline] hci_remote_features_evt+0x68e/0xac0 net/bluetooth/hci_event.c:3726 hci_event_func net/bluetooth/hci_event.c:7473 [inline] hci_event_packet+0xac2/0x1540 net/bluetooth/hci_event.c:7525 hci_rx_work+0x3f3/0xdb0 net/bluetooth/hci_core.c:4035 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 54: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kfree+0x196/0x430 mm/slub.c:4761 l2cap_connect_cfm+0xcc/0x1090 net/bluetooth/l2cap_core.c:7235 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline] hci_conn_failed+0x287/0x400 net/bluetooth/hci_conn.c:1266 hci_abort_conn_sync+0x56c/0x11f0 net/bluetooth/hci_sync.c:5603 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Reported-by: syzbot+31c2f641b850a348a734@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=31c2f641b850a348a734 Tested-by: syzbot+31c2f641b850a348a734@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@qq.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit b4f82f9) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
1 parent 3ed86f2 commit 19695c6

File tree

1 file changed

+34
-5
lines changed

1 file changed

+34
-5
lines changed

net/bluetooth/l2cap_core.c

Lines changed: 34 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -948,6 +948,16 @@ static u8 l2cap_get_ident(struct l2cap_conn *conn)
948948
return id;
949949
}
950950

951+
static void l2cap_send_acl(struct l2cap_conn *conn, struct sk_buff *skb,
952+
u8 flags)
953+
{
954+
/* Check if the hcon still valid before attempting to send */
955+
if (hci_conn_valid(conn->hcon->hdev, conn->hcon))
956+
hci_send_acl(conn->hchan, skb, flags);
957+
else
958+
kfree_skb(skb);
959+
}
960+
951961
static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
952962
void *data)
953963
{
@@ -970,7 +980,7 @@ static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
970980
bt_cb(skb)->force_active = BT_POWER_FORCE_ACTIVE_ON;
971981
skb->priority = HCI_PRIO_MAX;
972982

973-
hci_send_acl(conn->hchan, skb, flags);
983+
l2cap_send_acl(conn, skb, flags);
974984
}
975985

976986
static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
@@ -1792,20 +1802,18 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
17921802

17931803
mutex_unlock(&conn->chan_lock);
17941804

1795-
hci_chan_del(conn->hchan);
1796-
17971805
if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
17981806
cancel_delayed_work_sync(&conn->info_timer);
17991807

18001808
hcon->l2cap_data = NULL;
1801-
conn->hchan = NULL;
18021809
l2cap_conn_put(conn);
18031810
}
18041811

18051812
static void l2cap_conn_free(struct kref *ref)
18061813
{
18071814
struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
18081815

1816+
hci_chan_del(conn->hchan);
18091817
hci_conn_put(conn->hcon);
18101818
kfree(conn);
18111819
}
@@ -7466,14 +7474,33 @@ static void l2cap_recv_reset(struct l2cap_conn *conn)
74667474
conn->rx_len = 0;
74677475
}
74687476

7477+
static struct l2cap_conn *l2cap_conn_hold_unless_zero(struct l2cap_conn *c)
7478+
{
7479+
BT_DBG("conn %p orig refcnt %u", c, kref_read(&c->ref));
7480+
7481+
if (!kref_get_unless_zero(&c->ref))
7482+
return NULL;
7483+
7484+
return c;
7485+
}
7486+
74697487
void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
74707488
{
7471-
struct l2cap_conn *conn = hcon->l2cap_data;
7489+
struct l2cap_conn *conn;
74727490
int len;
74737491

7492+
/* Lock hdev to access l2cap_data to avoid race with l2cap_conn_del */
7493+
hci_dev_lock(hcon->hdev);
7494+
7495+
conn = hcon->l2cap_data;
7496+
74747497
if (!conn)
74757498
conn = l2cap_conn_add(hcon);
74767499

7500+
conn = l2cap_conn_hold_unless_zero(conn);
7501+
7502+
hci_dev_unlock(hcon->hdev);
7503+
74777504
if (!conn)
74787505
goto drop;
74797506

@@ -7565,6 +7592,8 @@ void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
75657592
break;
75667593
}
75677594

7595+
l2cap_conn_put(conn);
7596+
75687597
drop:
75697598
kfree_skb(skb);
75707599
}

0 commit comments

Comments
 (0)