| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20241102012710.2865-1-hdanton@sina.com>
Date: Sat, 2 Nov 2024 09:27:10 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+14b6d57fb728e27ce23c@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_unregister_user
On Fri, 01 Nov 2024 11:29:21 -0700
> syzbot found the following issue on:
>
> HEAD commit: 90602c251cda Merge tag 'net-6.12-rc6' of git://git.kernel...
> git tree: upstream
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15bd9340580000
#syz test
--- l/net/bluetooth/hidp/core.c
+++ y/net/bluetooth/hidp/core.c
@@ -1302,6 +1302,7 @@ static int hidp_session_thread(void *arg
* delete the session.
*/
l2cap_unregister_user(session->conn, &session->user);
+ hci_dev_put(session->conn->hcon->hdev);
hidp_session_put(session);
module_put_and_kthread_exit(0);
@@ -1378,6 +1379,7 @@ int hidp_connection_add(const struct hid
ret = l2cap_register_user(conn, &session->user);
if (ret)
goto out_session;
+ hci_dev_hold(conn->hcon->hdev);
ret = 0;
@@ -1405,8 +1407,10 @@ int hidp_connection_del(struct hidp_conn
HIDP_TRANS_HID_CONTROL |
HIDP_CTRL_VIRTUAL_CABLE_UNPLUG,
NULL, 0);
- else
+ else {
l2cap_unregister_user(session->conn, &session->user);
+ hci_dev_put(session->conn->hcon->hdev);
+ }
hidp_session_put(session);
--
Powered by blists - more mailing lists