| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 24 Jun 2024 09:54:56 -0400 From: Luiz Augusto von Dentz <luiz.dentz@...il.com> To: Edward Adam Davis <eadavis@...com> Cc: pav@....fi, johan.hedberg@...il.com, linux-bluetooth@...r.kernel.org, linux-kernel@...r.kernel.org, marcel@...tmann.org, syzbot+35ebc808442df6420eae@...kaller.appspotmail.com, syzkaller-bugs@...glegroups.com Subject: Re: [PATCH] Bluetooth: fix double free in hci_req_sync_complete Hi Edward, On Sun, Jun 23, 2024 at 8:02 AM Edward Adam Davis <eadavis@...com> wrote: > > On Sun, 23 Jun 2024 13:30:50 +0300, Pauli Virtanen wrote: > > > cpu1 cpu2 > > > ==== ==== > > > sock_ioctl > > > sock_do_ioctl > > > hci_sock_ioctl > > > hci_rx_work hci_dev_cmd > > > hci_event_packet hci_req_sync > > > req_complete_skb __hci_req_sync > > > hci_req_sync_complete > > > > > > If hci_rx_work executes before __hci_req_sync releases req_skb, everything > > > is normal, otherwise it will result in double free of req_skb. > > > > > > Adding NULL check of req_skb before releasing it can avoid double free. > > > > Do you understand why? > > > > kfree_skb(NULL) is allowed, so this is logically a no-op. > > > > Probably it perturbs the timings so syzkaller repro no longer hits the > > race window, ie doesn't fix the issue. > Good, even if you already know race, let me ask you a question: how to reduce race window? We actually need to stop using hci_req_sync since that has been deprecated, instead it shall use hci_cmd_sync_submit, we could for the time being just make hci_req_sync use hci_cmd_sync_submit to avoid such races. > `` > Edward > -- Luiz Augusto von Dentz
Powered by blists - more mailing lists