lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 7 Oct 2020 09:18:03 +0530 From: Anant Thazhemadam <anant.thazhemadam@...il.com> To: unlisted-recipients:; (no To-header on input) Cc: linux-kernel-mentees@...ts.linuxfoundation.org, Anant Thazhemadam <anant.thazhemadam@...il.com>, syzbot+6ce141c55b2f7aafd1c4@...kaller.appspotmail.com, Marcel Holtmann <marcel@...tmann.org>, Johan Hedberg <johan.hedberg@...il.com>, Hans de Goede <hdegoede@...hat.com>, linux-bluetooth@...r.kernel.org, linux-kernel@...r.kernel.org Subject: [PATCH v4] bluetooth: hci_h5: fix memory leak in h5_close If h5_close is called when !hu->serdev, h5 is directly freed. However, h5->rx_skb is not freed, which causes a memory leak. Freeing h5->rx_skb fixes this memory leak. In case hu->serdev exists, h5->rx_skb is then set to NULL, since we do not want to risk a potential NULL pointer dereference. Fixes: ce945552fde4 ("Bluetooth: hci_h5: Add support for serdev enumerated devices") Reported-by: syzbot+6ce141c55b2f7aafd1c4@...kaller.appspotmail.com Tested-by: syzbot+6ce141c55b2f7aafd1c4@...kaller.appspotmail.com Signed-off-by: Anant Thazhemadam <anant.thazhemadam@...il.com>h5_close v4 --- Changes in v4: * Free h5->rx_skb even when hu->serdev (Suggested by Hans de Goede <hdegoede@...hat.com>) * If hu->serdev, then assign h5->rx_skb = NULL Changes in v3: * Free h5->rx_skb when !hu->serdev, and fix the memory leak * Do not incorrectly and unnecessarily call serdev_device_close() Changes in v2: * Fixed the Fixes tag drivers/bluetooth/hci_h5.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c index e41854e0d79a..39f9553caa5c 100644 --- a/drivers/bluetooth/hci_h5.c +++ b/drivers/bluetooth/hci_h5.c @@ -245,11 +245,15 @@ static int h5_close(struct hci_uart *hu) skb_queue_purge(&h5->rel); skb_queue_purge(&h5->unrel); + kfree_skb(h5->rx_skb); + if (h5->vnd && h5->vnd->close) h5->vnd->close(h5); if (!hu->serdev) kfree(h5); + else + h5->rx_skb = NULL; return 0; } -- 2.25.1
Powered by blists - more mailing lists