lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <8376D008-EA21-49EA-AF5A-DDDCB179EAC5@holtmann.org>
Date:   Tue, 26 Nov 2019 07:18:46 +0100
From:   Marcel Holtmann <marcel@...tmann.org>
To:     Alexander Potapenko <glider@...gle.com>
Cc:     Tomas Bortoli <tomasbortoli@...il.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Johan Hedberg <johan.hedberg@...il.com>,
        Bluez mailing list <linux-bluetooth@...r.kernel.org>,
        lkml <linux-kernel@...r.kernel.org>,
        syzkaller <syzkaller@...glegroups.com>,
        syzbot+a0d209a4676664613e76@...kaller.appspotmail.com
Subject: Re: [PATCH] Fix invalid-free in bcsp_close()

Hi Alexander,

>>> Syzbot reported an invalid-free that I introduced fixing a memleak.
>>> 
>>> bcsp_recv() also frees bcsp->rx_skb but never nullifies its value.
>>> Nullify bcsp->rx_skb every time it is freed.
>>> 
>>> Signed-off-by: Tomas Bortoli <tomasbortoli@...il.com>
>>> Reported-by: syzbot+a0d209a4676664613e76@...kaller.appspotmail.com
>>> ---
>>> drivers/bluetooth/hci_bcsp.c | 3 +++
>>> 1 file changed, 3 insertions(+)
>> 
>> patch has been applied to bluetooth-next tree.
> I believe this bug requires stable tags, as it can potentially provide
> an arbitrary write (via __skb_unlink) and is triggerable locally with
> user privileges.

I do not have a reproducer for it, but if you do, feel free to propose it for -stable inclusion.

Regards

Marcel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ