lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <32571353-7448-f670-8962-cc84b3d6b1c3@salutedevices.com>
Date: Wed, 12 Feb 2025 09:05:10 +0300
From: Arseniy Krasnov <avkrasnov@...utedevices.com>
To: Luiz Augusto von Dentz <luiz.dentz@...il.com>
CC: <hdanton@...a.com>, <linux-bluetooth@...r.kernel.org>,
	<linux-kernel@...r.kernel.org>, <luiz.von.dentz@...el.com>,
	<marcel@...tmann.org>, <netdev@...r.kernel.org>
Subject: Re: [DMARC error] Re: [syzbot] [bluetooth?] KASAN:
 slab-use-after-free Read in skb_queue_purge_reason (2)



On 11.02.2025 19:51, Luiz Augusto von Dentz wrote:
> Hi Arseniy,
> 
> On Tue, Feb 11, 2025 at 11:22 AM Arseniy Krasnov
> <avkrasnov@...utedevices.com> wrote:
>>
>> May be my previous version was free of this problem ?
>>
>> https://lore.kernel.org/linux-bluetooth/a1db0c90-1803-e01c-3e23-d18e4343a4eb@salutedevices.com/
> 
> You can try sending it to
> syzbot+683f8cb11b94b1824c77@...kaller.appspotmail.com to check if that
> works.

Ok, I'll send it. I think that even this logic is deprecated, it is better to
keep it without bugs (even if fix is not elegant).

Thanks

> 
>> Thanks
>>
>> On 11.02.2025 17:16, Arseniy Krasnov wrote:
>>> Hi, I guess problem here is that, if hci_uart_tty_close() will be called between
>>> setting HCI_UART_PROTO_READY and skb_queue_head_init(), in that case mrvl_close()
>>> will access uninitialized data.
>>>
>>> hci_uart_set_proto() {
>>>         ...
>>>         set_bit(HCI_UART_PROTO_READY, &hu->flags);
>>>
>>>         err = hci_uart_register_dev(hu);
>>>                 mrvl_open()
>>>                     skb_queue_head_init();
> 
> Or we follow what the likes of hci_uart_register_device_priv, in fact
> we may want to take the time to clean this up, afaik the ldisc is
> deprecated and serdev shall be used instead, in any case if we can't
> just remove ldisc version then at very least they shall be using the
> same flow when it comes to hci_register_dev since the share the same
> struct hci_uart.
> 
>>>         if (err) {
>>>                 return err;
>>>         }
>>>         ...
>>> }
>>>
>>> Thanks
>>>
>>> On 10.02.2025 14:26, syzbot wrote:
>>>> syzbot has bisected this issue to:
>>>>
>>>> commit c411c62cc13319533b1861e00cedc4883c3bc1bb
>>>> Author: Arseniy Krasnov <avkrasnov@...utedevices.com>
>>>> Date:   Thu Jan 30 18:43:26 2025 +0000
>>>>
>>>>     Bluetooth: hci_uart: fix race during initialization
>>>>
>>>> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=116cebdf980000
>>>> start commit:   40b8e93e17bf Add linux-next specific files for 20250204
>>>> git tree:       linux-next
>>>> final oops:     https://syzkaller.appspot.com/x/report.txt?x=136cebdf980000
>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=156cebdf980000
>>>> kernel config:  https://syzkaller.appspot.com/x/.config?x=ec880188a87c6aad
>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=683f8cb11b94b1824c77
>>>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10b7eeb0580000
>>>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12f74f64580000
>>>>
>>>> Reported-by: syzbot+683f8cb11b94b1824c77@...kaller.appspotmail.com
>>>> Fixes: c411c62cc133 ("Bluetooth: hci_uart: fix race during initialization")
>>>>
>>>> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> 
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ