| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 26 Nov 2019 09:12:58 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Marcel Holtmann <marcel@...tmann.org>
Cc: Alexander Potapenko <glider@...gle.com>,
Tomas Bortoli <tomasbortoli@...il.com>,
Johan Hedberg <johan.hedberg@...il.com>,
Bluez mailing list <linux-bluetooth@...r.kernel.org>,
lkml <linux-kernel@...r.kernel.org>,
syzkaller <syzkaller@...glegroups.com>,
syzbot+a0d209a4676664613e76@...kaller.appspotmail.com
Subject: Re: [PATCH] Fix invalid-free in bcsp_close()
On Tue, Nov 26, 2019 at 07:18:46AM +0100, Marcel Holtmann wrote:
> Hi Alexander,
>
> >>> Syzbot reported an invalid-free that I introduced fixing a memleak.
> >>>
> >>> bcsp_recv() also frees bcsp->rx_skb but never nullifies its value.
> >>> Nullify bcsp->rx_skb every time it is freed.
> >>>
> >>> Signed-off-by: Tomas Bortoli <tomasbortoli@...il.com>
> >>> Reported-by: syzbot+a0d209a4676664613e76@...kaller.appspotmail.com
> >>> ---
> >>> drivers/bluetooth/hci_bcsp.c | 3 +++
> >>> 1 file changed, 3 insertions(+)
> >>
> >> patch has been applied to bluetooth-next tree.
> > I believe this bug requires stable tags, as it can potentially provide
> > an arbitrary write (via __skb_unlink) and is triggerable locally with
> > user privileges.
>
> I do not have a reproducer for it, but if you do, feel free to propose it for -stable inclusion.
Now queued up, thanks.
greg k-h
Powered by blists - more mailing lists