lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <44091d60.3570.19a40a89dd8.Coremail.zzzccc427@163.com>
Date: Sun, 2 Nov 2025 02:23:03 +0800 (CST)
From: zzzccc427  <zzzccc427@....com>
To: luiz.dentz@...il.com, pav@....fi, johan.hedberg@...il.com,
	marcel@...tmann.org
Cc: linux-kernel@...r.kernel.org, linux-bluetooth@...r.kernel.org,
	baijiaju1990@...il.com, r33s3n6@...il.com, gality369@...il.com,
	zhenghaoran154@...il.com
Subject: [BUG] Bluetooth: Mistakenly sco_conn_put in sco_conn_del() leading
 UAF

Hi maintainers,

I would like to report a concurrency UAF BUG.

Refcount handling in sco_conn_del() is unbalanced when another thread is kref_puting, which
can lead to a refcount underflow and use-after-free.The detailed execution flow is as below:

Thread1                Thread2
close(sock)            sco_connect_cfm(...)
                              conn = sco_conn_hold_unless_zero(conn)
                              (now ref = 2)
sco_pi(sk)->conn = NULL
conn->sk = NULL
sock_put(sk)
kref_put(&conn->ref, sco_conn_free);
(now ref = 1)
                              sco_conn_put(conn)
                              (now ref = 0)
                              sco_conn_free()
                              kfree(conn)
                              sk = sco_sock_hold(conn) → NULL (socket already closed)
                              sco_conn_put(conn)(now the conn has been freed)
                              kref_put(&conn->ref, sco_conn_free);
                              UAF on conn->ref

\KASAN report as follows:
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: slab-use-after-free in refcount_read include/linux/refcount.h:170 [inline]
BUG: KASAN: slab-use-after-free in kref_read include/linux/kref.h:36 [inline]
BUG: KASAN: slab-use-after-free in sco_conn_put+0x77/0xf50 net/bluetooth/sco.c:113
Read of size 4 at addr ffff8881057eda74 by task kworker/u25:1/86

CPU: 3 UID: 0 PID: 86 Comm: kworker/u25:1 Not tainted 6.17.0-rc5-g22352681e428-dirty #45 PREEMPT(voluntary) 
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: hci0 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xca/0x130 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x171/0x7f0 mm/kasan/report.c:482
 kasan_report+0x139/0x170 mm/kasan/report.c:595
 kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:189
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
 refcount_read include/linux/refcount.h:170 [inline]
 kref_read include/linux/kref.h:36 [inline]
 sco_conn_put+0x77/0xf50 net/bluetooth/sco.c:113
 sco_conn_del+0x477/0x8d0 net/bluetooth/sco.c:280
 sco_connect_cfm+0x83d/0x1ee0 net/bluetooth/sco.c:1468
 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline]
 hci_sco_setup+0x39c/0xd20 net/bluetooth/hci_conn.c:554
 hci_conn_complete_evt+0x6eb/0x3270 net/bluetooth/hci_event.c:3201
 hci_event_func net/bluetooth/hci_event.c:7545 [inline]
 hci_event_packet+0x17cd/0x2da0 net/bluetooth/hci_event.c:7599
 hci_rx_work+0x982/0x2210 net/bluetooth/hci_core.c:4071
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0x7a8/0x1030 kernel/workqueue.c:3319
 worker_thread+0xb97/0x11d0 kernel/workqueue.c:3400
 kthread+0x3d4/0x800 kernel/kthread.c:463
 ret_from_fork+0x13b/0x1e0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 302:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
 __kasan_kmalloc+0x72/0x90 mm/kasan/common.c:405
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 sco_conn_add+0x237/0xa50 net/bluetooth/sco.c:215
 sco_connect net/bluetooth/sco.c:356 [inline]
 sco_sock_connect+0x6ea/0x1af0 net/bluetooth/sco.c:684
 __sys_connect_file net/socket.c:2086 [inline]
 __sys_connect+0x277/0x350 net/socket.c:2105
 __do_sys_connect net/socket.c:2111 [inline]
 __se_sys_connect net/socket.c:2108 [inline]
 __x64_sys_connect+0x7a/0x90 net/socket.c:2108
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 86:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x41/0x50 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2428 [inline]
 slab_free mm/slub.c:4701 [inline]
 kfree+0x189/0x390 mm/slub.c:4900
 sco_conn_free net/bluetooth/sco.c:105 [inline]
 kref_put include/linux/kref.h:65 [inline]
 sco_conn_put+0x9f2/0xf50 net/bluetooth/sco.c:115
 sco_conn_del+0x403/0x8d0 net/bluetooth/sco.c:278
 sco_connect_cfm+0x83d/0x1ee0 net/bluetooth/sco.c:1468
 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline]
 hci_sco_setup+0x39c/0xd20 net/bluetooth/hci_conn.c:554
 hci_conn_complete_evt+0x6eb/0x3270 net/bluetooth/hci_event.c:3201
 hci_event_func net/bluetooth/hci_event.c:7545 [inline]
 hci_event_packet+0x17cd/0x2da0 net/bluetooth/hci_event.c:7599
 hci_rx_work+0x982/0x2210 net/bluetooth/hci_core.c:4071
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0x7a8/0x1030 kernel/workqueue.c:3319
 worker_thread+0xb97/0x11d0 kernel/workqueue.c:3400
 kthread+0x3d4/0x800 kernel/kthread.c:463
 ret_from_fork+0x13b/0x1e0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff8881057eda00
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 116 bytes inside of
 freed 128-byte region [ffff8881057eda00, ffff8881057eda80)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1057ed
anon flags: 0x200000000000000(node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000000 ffff888100042a00 ffffea000415ff40 0000000000000003
raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881057ed900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881057ed980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881057eda00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff8881057eda80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881057edb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
[tid:86] conn 00000000eda1bfdb refcnt 0
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 3 PID: 86 at lib/refcount.c:28 refcount_warn_saturate+0x11a/0x1d0 lib/refcount.c:28
Modules linked in:
CPU: 3 UID: 0 PID: 86 Comm: kworker/u25:1 Tainted: G    B               6.17.0-rc5-g22352681e428-dirty #45 PREEMPT(voluntary) 
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: hci0 hci_rx_work
RIP: 0010:refcount_warn_saturate+0x11a/0x1d0 lib/refcount.c:28
Code: e0 7d 17 aa e8 27 ca 0c ff 90 0f 0b 90 90 eb d7 e8 7b cb 3d ff c6 05 fc b4 46 04 01 90 48 c7 c7 40 7e 17 aa e8 07 ca 0c ff 90 <0f> 0b 90 90 eb b7 e8 5b cb 3d ff c6 05 d9 b4 46 04 01 90 48 c7 c7
RSP: 0018:ffff888108d47740 EFLAGS: 00010246
RAX: 85dddeb7ad9a8d00 RBX: 0000000000000003 RCX: ffff888108bb9e80
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffff8881f68e3e53 R09: 1ffff1103ed1c7ca
R10: dffffc0000000000 R11: ffffed103ed1c7cb R12: 1ffff11020afdb4e
R13: dffffc0000000000 R14: ffff8881057eda74 R15: 00000000000000fb
FS:  0000000000000000(0000) GS:ffff888249c71000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc26de5cd58 CR3: 000000012d466000 CR4: 00000000000006f0
Call Trace:
 <TASK>
 __refcount_sub_and_test include/linux/refcount.h:400 [inline]
 __refcount_dec_and_test include/linux/refcount.h:432 [inline]
 refcount_dec_and_test include/linux/refcount.h:450 [inline]
 kref_put include/linux/kref.h:64 [inline]
 sco_conn_put+0xa16/0xf50 net/bluetooth/sco.c:115
 sco_conn_del+0x477/0x8d0 net/bluetooth/sco.c:280
 sco_connect_cfm+0x83d/0x1ee0 net/bluetooth/sco.c:1468
 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline]
 hci_sco_setup+0x39c/0xd20 net/bluetooth/hci_conn.c:554
 hci_conn_complete_evt+0x6eb/0x3270 net/bluetooth/hci_event.c:3201
 hci_event_func net/bluetooth/hci_event.c:7545 [inline]
 hci_event_packet+0x17cd/0x2da0 net/bluetooth/hci_event.c:7599
 hci_rx_work+0x982/0x2210 net/bluetooth/hci_core.c:4071
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0x7a8/0x1030 kernel/workqueue.c:3319
 worker_thread+0xb97/0x11d0 kernel/workqueue.c:3400
 kthread+0x3d4/0x800 kernel/kthread.c:463
 ret_from_fork+0x13b/0x1e0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
---[ end trace 0000000000000000 ]---

Thank you for your attention to this matter.

Best regards,
Cen Zhang

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ