lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Wed,  7 Oct 2020 09:18:03 +0530
From:   Anant Thazhemadam <anant.thazhemadam@...il.com>
To:     unlisted-recipients:; (no To-header on input)
Cc:     linux-kernel-mentees@...ts.linuxfoundation.org,
        Anant Thazhemadam <anant.thazhemadam@...il.com>,
        syzbot+6ce141c55b2f7aafd1c4@...kaller.appspotmail.com,
        Marcel Holtmann <marcel@...tmann.org>,
        Johan Hedberg <johan.hedberg@...il.com>,
        Hans de Goede <hdegoede@...hat.com>,
        linux-bluetooth@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH v4] bluetooth: hci_h5: fix memory leak in h5_close

If h5_close is called when !hu->serdev, h5 is directly freed.
However, h5->rx_skb is not freed, which causes a memory leak.

Freeing h5->rx_skb fixes this memory leak.

In case hu->serdev exists, h5->rx_skb is then set to NULL,
since we do not want to risk a potential NULL pointer 
dereference.

Fixes: ce945552fde4 ("Bluetooth: hci_h5: Add support for serdev enumerated devices")
Reported-by: syzbot+6ce141c55b2f7aafd1c4@...kaller.appspotmail.com
Tested-by: syzbot+6ce141c55b2f7aafd1c4@...kaller.appspotmail.com
Signed-off-by: Anant Thazhemadam <anant.thazhemadam@...il.com>h5_close v4
---
Changes in v4:
	* Free h5->rx_skb even when hu->serdev
	(Suggested by Hans de Goede <hdegoede@...hat.com>)
	* If hu->serdev, then assign h5->rx_skb = NULL

Changes in v3:
	* Free h5->rx_skb when !hu->serdev, and fix the memory leak
	* Do not incorrectly and unnecessarily call serdev_device_close()

Changes in v2:
	* Fixed the Fixes tag

 drivers/bluetooth/hci_h5.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c
index e41854e0d79a..39f9553caa5c 100644
--- a/drivers/bluetooth/hci_h5.c
+++ b/drivers/bluetooth/hci_h5.c
@@ -245,11 +245,15 @@ static int h5_close(struct hci_uart *hu)
 	skb_queue_purge(&h5->rel);
 	skb_queue_purge(&h5->unrel);
 
+	kfree_skb(h5->rx_skb);
+
 	if (h5->vnd && h5->vnd->close)
 		h5->vnd->close(h5);
 
 	if (!hu->serdev)
 		kfree(h5);
+	else
+		h5->rx_skb = NULL;
 
 	return 0;
 }
-- 
2.25.1

Powered by blists - more mailing lists