lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2025073101-upon-lilac-9d22@gregkh>
Date: Thu, 31 Jul 2025 06:32:35 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: Salah Triki <salah.triki@...il.com>
Cc: Markus Elfring <Markus.Elfring@....de>,
	Marcel Holtmann <marcel@...tmann.org>,
	Luiz Augusto von Dentz <luiz.dentz@...il.com>,
	linux-bluetooth@...r.kernel.org, linux-kernel@...r.kernel.org,
	stable@...r.kernel.org
Subject: Re: [PATCH V3] Bluetooth: bfusb: Fix use-after-free and memory leak
 in device lifecycle

On Thu, Jul 31, 2025 at 03:19:19AM +0100, Salah Triki wrote:
> The driver stores a reference to the `usb_device` structure (`udev`)
> in its private data (`data->udev`), which can persist beyond the
> immediate context of the `bfusb_probe()` function.
> 
> Without proper reference count management, this can lead to two issues:
> 
> 1. A `use-after-free` scenario if `udev` is accessed after its main
>    reference count drops to zero (e.g., if the device is disconnected
>    and the `data` structure is still active).

How can that happen as during the probe/remove cycle, the reference
count is always properly incremetned.

> 2. A `memory leak` if `udev`'s reference count is not properly
>    decremented during driver disconnect, preventing the `usb_device`
>    object from being freed.

There is no leak here at all, sorry.

> To correctly manage the `udev` lifetime, explicitly increment its
> reference count with `usb_get_dev(udev)` when storing it in the
> driver's private data. Correspondingly, decrement the reference count
> with `usb_put_dev(data->udev)` in the `bfusb_disconnect()` callback.
> 
> This ensures `udev` remains valid while referenced by the driver's
> private data and is properly released when no longer needed.

How was this tested?

I'm not saying the change is wrong, just that I don't think it's
actually a leak, or fix of anything real.

Or do you have a workload that shows this is needed?  If so, what is the
crash reported?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ