lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <0aa28372-feea-4252-a498-b3b8be7617f4@amlogic.com>
Date: Thu, 6 Nov 2025 10:21:02 +0800
From: Yang Li <yang.li@...ogic.com>
To: Paul Menzel <pmenzel@...gen.mpg.de>
Cc: Marcel Holtmann <marcel@...tmann.org>,
 Johan Hedberg <johan.hedberg@...il.com>,
 Luiz Augusto von Dentz <luiz.dentz@...il.com>,
 linux-bluetooth@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Bluetooth: iso: Fix UAF on iso_sock_disconn

Hi Paul,


> [ EXTERNAL EMAIL ]
>
> Dear Yang,
>
>
> Thank you for your patch.
>
> Am 05.11.25 um 10:02 schrieb Yang Li via B4 Relay:
>> From: Yang Li <yang.li@...ogic.com>
>>
>> kernel panic: Unable to handle kernel read from unreadable
>> memory at virtual address 00000000000003d8
>
> No line break needed in pasted logs.
>
>>
>> Call trace:
>>   iso_sock_disconn+0x110/0x1c8
>>   __iso_sock_close+0x50/0x164
>>   iso_sock_release+0x48/0xf0
>>   __sock_release+0x40/0xb4
>>   sock_close+0x18/0x28
>>   __fput+0xd8/0x28c
>>   __fput_sync+0x50/0x5c
>>   __arm64_sys_close+0x38/0x7c
>>   invoke_syscall+0x48/0x118
>>   el0_svc_common.constprop.0+0x40/0xe0
>>   do_el0_svc_compat+0x1c/0x34
>>   el0_svc_compat+0x30/0x88
>>   el0t_32_sync_handler+0x90/0x140
>>   el0t_32_sync+0x198/0x19c
>
> Please add a paragraph about this problem, and how `iso_pi(sk)->conn`
> can be NULL.


I will update it.

Thanks!

>
>> Signed-off-by: Yang Li <yang.li@...ogic.com>
>> ---
>>   net/bluetooth/iso.c | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
>> index 74ec7d125c88..89c7700ceb81 100644
>> --- a/net/bluetooth/iso.c
>> +++ b/net/bluetooth/iso.c
>> @@ -838,14 +838,14 @@ static void __iso_sock_close(struct sock *sk)
>>       case BT_CONNECT:
>>       case BT_CONNECTED:
>>       case BT_CONFIG:
>> -             if (iso_pi(sk)->conn->hcon)
>> +             if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon)
>>                       iso_sock_disconn(sk);
>>               else
>>                       iso_chan_del(sk, ECONNRESET);
>>               break;
>>
>>       case BT_CONNECT2:
>> -             if (iso_pi(sk)->conn->hcon &&
>> +             if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon &&
>>                   (test_bit(HCI_CONN_PA_SYNC, 
>> &iso_pi(sk)->conn->hcon->flags) ||
>>                   test_bit(HCI_CONN_PA_SYNC_FAILED, 
>> &iso_pi(sk)->conn->hcon->flags)))
>>                       iso_sock_disconn(sk);
>
> This diff looks fine.
>
>
> Kind regards,
>
> Paul

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ