Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
From: Salvatore Bonaccorso
Date: Sat Sep 09 2023 - 07:22:11 EST
On Sat, Sep 09, 2023 at 08:49:52AM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote:
> -----Original Message-----
> From: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx>
> Sent: Friday, September 8, 2023 12:39 PM
> To: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) <deeratho@xxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx
> Subject: Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
>
> > A: http://en.wikipedia.org/wiki/Top_post
> > Q: Were do I find info about this thing called top-posting?
> > A: Because it messes up the order in which people normally read text.
> > Q: Why is top-posting such a bad thing?
> > A: Top-posting.
> > Q: What is the most annoying thing in e-mail?
>
> > A: No.
> > Q: Should I include quotations after my reply?
>
>
> > http://daringfireball.net/2007/07/on_top
>
> On Fri, Sep 08, 2023 at 06:54:06AM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote:
> > Hi Greg,
> >
> > This change is required to fix kernel CVE: CVE-2023-1989 which is
> > reported in v6.1 kernel version.
>
> > Which change?
>
> [Deepak]: I am referring below change. This below change is required to fix kernel CVE: CVE-2023-1989 which is reported in v6.1 kernel.
>
> Subject: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
>
> From: Zheng Wang <zyytlz.wz@xxxxxxx>
>
> [ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ]
>
> In btsdio_probe, the data->work is bound with btsdio_work. It will be started in btsdio_send_frame.
>
> If the btsdio_remove runs with a unfinished work, there may be a race condition that hdev is freed but used in btsdio_work. Fix it by canceling the work before do cleanup in btsdio_remove.
>
> Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
> Signed-off-by: Deepak Rathore <deeratho@xxxxxxxxx>
>
> diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c index 795be33f2892..f19d31ee37ea 100644
> --- a/drivers/bluetooth/btsdio.c
> +++ b/drivers/bluetooth/btsdio.c
> @@ -357,6 +357,7 @@ static void btsdio_remove(struct sdio_func *func)
> if (!data)
> return;
>
> + cancel_work_sync(&data->work);
> hdev = data->hdev;
>
> sdio_set_drvdata(func, NULL);
> --
> 2.35.6
>
>
> > It is fixed in upstream starting from v6.3 kernel version and required
> > to fix in 6.1 kernel version as well so we have backported this from
> > v6.3 kernel version to v6.1 and I have sent this patch for review and
> > merging.
>
> > Again, what commit are you referring to here.
>
> > confused,
>
> > greg k-h
>
> [Deepak]: Sorry for the inconvenience that my message did not provide all the details.
> The kernel CVE: CVE-2023-1989 is fixed in upstream with this commit: https://github.com/torvalds/linux/commit/73f7b171b7c09139eb3c6a5677c200dc1be5f318
> Starting from v6.3 kernel and we have to fix this in 6.1 kernel as well, so we have backported this from v6.3 kernel version to v6.1 kernel.
This change was already backported to 6.1.y and released in v6.1.52?
It is commit 179c65828593aff1f444e15debd40a477cb23cf4 .
Regards,
Salvatore