Re: bluetooth: use-after-free in vhci_send_frame

From: Jiri Slaby
Date: Fri Mar 18 2016 - 12:59:14 EST

Next message: Dmitry Torokhov: "Re: [PATCH] staging: delete STE RMI4 hackish driver"
Previous message: kbuild test robot: "[RFC PATCH linux-next] ovs: internal_set_rx_headroom() can be static"
In reply to: Jiri Slaby: "Re: bluetooth: use-after-free in vhci_send_frame"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 03/08/2016, 07:32 PM, Marcel Holtmann wrote:
> that means very little to me actually. So is the real issue caused by opening /dev/vhci or is that theoretical one via some internal kernel compile time feature.

Hi, what do you think about this one?

--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -196,6 +196,11 @@ static inline ssize_t vhci_get_user(stru

cancel_delayed_work_sync(&data->open_timeout);

+ if (data->hdev) {
+ kfree_skb(skb);
+ return -EBADFD;
+ }
+
opcode = *((__u8 *) skb->data);
skb_pull(skb, 1);

open_timeout could be in progress (raced with us) and _sync cancel
waited for vhci_create_device to actually finish and create the device
the second time.

thanks,
--
js
suse labs

Next message: Dmitry Torokhov: "Re: [PATCH] staging: delete STE RMI4 hackish driver"
Previous message: kbuild test robot: "[RFC PATCH linux-next] ovs: internal_set_rx_headroom() can be static"
In reply to: Jiri Slaby: "Re: bluetooth: use-after-free in vhci_send_frame"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]