Re: [PATCH] hci: fix double free in hci_req_sync
From: Yunseong Kim
Date: Mon Jul 01 2024 - 16:14:50 EST
Hi Luiz,
On 7/2/24 5:06 오전, Luiz Augusto von Dentz wrote:
> Hi,
>
> On Mon, Jul 1, 2024 at 3:45 PM Yunseong Kim <yskelg@xxxxxxxxx> wrote:
>>
>> The approach taken to address the 'CVE-2024-35978' introduced another
>> double-free vulnerability. commit 45d355a926ab
>> ("Bluetooth: Fix memory leak in hci_req_sync_complete()")
>>
>> 'hdev->req_skb' double free scenario:
>>
>> cpu1 cpu2
>> ==== ====
>> sock_ioctl
>> sock_do_ioctl
>> hci_sock_ioctl
>> hci_dev_cmd
>> hci_req_sync
>
> hci_req_sync is no longer called from hci_dev_cmd:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=6851d11d389ceb00c1220b267b9a04f54dbc4573
>
> And I'm in process of removing hci_request.c completely.
>
>> __hci_req_sync hci_rx_work
>> kfree_skb(hdev->req_skb) hci_event_packet
>> (sleep) hci_req_sync_complete
>> \__ Longer times, kfree_skb(hdev->req_skb)
>> reproduce well hdev->req_skb = NULL
>>
Thank you so much your hard work.
I saw the patch email at the link below.
Link:
https://lore.kernel.org/all/a9609dd3d0cb3b8c3fd387efe8a81eddc821be0f.camel@xxxxxx/T/
Does the patch you mentioned apply to backports as well?
Warm regards,
Yunseong Kim