| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 23 Jun 2024 20:02:39 +0800 From: Edward Adam Davis <eadavis@...com> To: pav@....fi Cc: eadavis@...com, johan.hedberg@...il.com, linux-bluetooth@...r.kernel.org, linux-kernel@...r.kernel.org, luiz.dentz@...il.com, marcel@...tmann.org, syzbot+35ebc808442df6420eae@...kaller.appspotmail.com, syzkaller-bugs@...glegroups.com Subject: Re: [PATCH] Bluetooth: fix double free in hci_req_sync_complete On Sun, 23 Jun 2024 13:30:50 +0300, Pauli Virtanen wrote: > > cpu1 cpu2 > > ==== ==== > > sock_ioctl > > sock_do_ioctl > > hci_sock_ioctl > > hci_rx_work hci_dev_cmd > > hci_event_packet hci_req_sync > > req_complete_skb __hci_req_sync > > hci_req_sync_complete > > > > If hci_rx_work executes before __hci_req_sync releases req_skb, everything > > is normal, otherwise it will result in double free of req_skb. > > > > Adding NULL check of req_skb before releasing it can avoid double free. > > Do you understand why? > > kfree_skb(NULL) is allowed, so this is logically a no-op. > > Probably it perturbs the timings so syzkaller repro no longer hits the > race window, ie doesn't fix the issue. Good, even if you already know race, let me ask you a question: how to reduce race window? `` Edward
Powered by blists - more mailing lists