lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 29 Sep 2012 18:29:15 +0200
From:	Ben Hutchings <ben@...adent.org.uk>
To:	Gustavo Padovan <gustavo.padovan@...labora.co.uk>,
	Marcel Holtmann <marcel@...tmann.org>
Cc:	linux-kernel@...r.kernel.org, stable@...r.kernel.org,
	alan@...rguk.ukuu.org.uk,
	Andre Guedes <andre.guedes@...nbossa.org>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: Re: [ 174/218] Bluetooth: Fix use-after-free bug in SMP

On Fri, 2012-09-28 at 13:16 -0700, Greg Kroah-Hartman wrote:
> 3.4-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Andre Guedes <andre.guedes@...nbossa.org>
> 
> commit 61a0cfb008f57ecf7eb28ee762952fb42dc15d15 upstream.
> 
> If SMP fails, we should always cancel security_timer delayed work.
> Otherwise, security_timer function may run after l2cap_conn object
> has been freed.
[...]

This particular bug doesn't appear to exist in earlier kernel versions,
but it led me to find some related bugs in teardown that do.

I'm attaching two patches:
- bluetooth-fix-l2cap_conn_del-locking.patch seems to be needed for both
  3.0 and 3.2.  It's very different from the upstream changes, and is
  compile-tested only.
- bluetooth-fix-deadlock-and-crash-when-smp-pairing-times-out.patch
  (commit d06cc416f517a25713dedd9e2a9ccf4f3086c09a upstream) seems to be
  needed for 3.2 only.

What do you think?

Ben.

-- 
Ben Hutchings
Usenet is essentially a HUGE group of people passing notes in class.
                      - Rachel Kadel, `A Quick Guide to Newsgroup Etiquette'

View attachment "bluetooth-fix-l2cap_conn_del-locking.patch" of type "text/x-patch" (1399 bytes)

View attachment "bluetooth-fix-deadlock-and-crash-when-smp-pairing-times-out.patch" of type "text/x-patch" (1578 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (829 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ