lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <e8b8686f-8de1-aa25-9707-fcad4ffa5710@salutedevices.com>
Date: Tue, 11 Feb 2025 17:16:29 +0300
From: Arseniy Krasnov <avkrasnov@...utedevices.com>
To: <hdanton@...a.com>, <linux-bluetooth@...r.kernel.org>,
	<linux-kernel@...r.kernel.org>, <luiz.dentz@...il.com>,
	<luiz.von.dentz@...el.com>, <marcel@...tmann.org>, <netdev@...r.kernel.org>,
	<syzkaller-bugs@...glegroups.com>
Subject: Re: [DMARC error] Re: [syzbot] [bluetooth?] KASAN:
 slab-use-after-free Read in skb_queue_purge_reason (2)

Hi, I guess problem here is that, if hci_uart_tty_close() will be called between
setting HCI_UART_PROTO_READY and skb_queue_head_init(), in that case mrvl_close()
will access uninitialized data.

hci_uart_set_proto() {
        ...
        set_bit(HCI_UART_PROTO_READY, &hu->flags);
                                                   
        err = hci_uart_register_dev(hu);
                mrvl_open()
                    skb_queue_head_init();

        if (err) {
                return err;
        }
        ...
}

Thanks

On 10.02.2025 14:26, syzbot wrote:
> syzbot has bisected this issue to:
> 
> commit c411c62cc13319533b1861e00cedc4883c3bc1bb
> Author: Arseniy Krasnov <avkrasnov@...utedevices.com>
> Date:   Thu Jan 30 18:43:26 2025 +0000
> 
>     Bluetooth: hci_uart: fix race during initialization
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=116cebdf980000
> start commit:   40b8e93e17bf Add linux-next specific files for 20250204
> git tree:       linux-next
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=136cebdf980000
> console output: https://syzkaller.appspot.com/x/log.txt?x=156cebdf980000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=ec880188a87c6aad
> dashboard link: https://syzkaller.appspot.com/bug?extid=683f8cb11b94b1824c77
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10b7eeb0580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12f74f64580000
> 
> Reported-by: syzbot+683f8cb11b94b1824c77@...kaller.appspotmail.com
> Fixes: c411c62cc133 ("Bluetooth: hci_uart: fix race during initialization")
> 
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ