lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CABBYNZKQPBaxmxzDttOKumMaReycbSAbc-JM2P0mwzy=d-kbkw@mail.gmail.com>
Date: Fri, 7 Nov 2025 13:52:45 -0500
From: Luiz Augusto von Dentz <luiz.dentz@...il.com>
To: Yang Li <yang.li@...ogic.com>
Cc: Paul Menzel <pmenzel@...gen.mpg.de>, Marcel Holtmann <marcel@...tmann.org>, 
	Johan Hedberg <johan.hedberg@...il.com>, linux-bluetooth@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Bluetooth: iso: Fix UAF on iso_sock_disconn

Hi Yang,

On Wed, Nov 5, 2025 at 9:21 PM Yang Li <yang.li@...ogic.com> wrote:
>
> Hi Paul,
>
>
> > [ EXTERNAL EMAIL ]
> >
> > Dear Yang,
> >
> >
> > Thank you for your patch.
> >
> > Am 05.11.25 um 10:02 schrieb Yang Li via B4 Relay:
> >> From: Yang Li <yang.li@...ogic.com>
> >>
> >> kernel panic: Unable to handle kernel read from unreadable
> >> memory at virtual address 00000000000003d8
> >
> > No line break needed in pasted logs.
> >
> >>
> >> Call trace:
> >>   iso_sock_disconn+0x110/0x1c8
> >>   __iso_sock_close+0x50/0x164
> >>   iso_sock_release+0x48/0xf0
> >>   __sock_release+0x40/0xb4
> >>   sock_close+0x18/0x28
> >>   __fput+0xd8/0x28c
> >>   __fput_sync+0x50/0x5c
> >>   __arm64_sys_close+0x38/0x7c
> >>   invoke_syscall+0x48/0x118
> >>   el0_svc_common.constprop.0+0x40/0xe0
> >>   do_el0_svc_compat+0x1c/0x34
> >>   el0_svc_compat+0x30/0x88
> >>   el0t_32_sync_handler+0x90/0x140
> >>   el0t_32_sync+0x198/0x19c
> >
> > Please add a paragraph about this problem, and how `iso_pi(sk)->conn`
> > can be NULL.
>
>
> I will update it.
>
> Thanks!
>
> >
> >> Signed-off-by: Yang Li <yang.li@...ogic.com>
> >> ---
> >>   net/bluetooth/iso.c | 4 ++--
> >>   1 file changed, 2 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
> >> index 74ec7d125c88..89c7700ceb81 100644
> >> --- a/net/bluetooth/iso.c
> >> +++ b/net/bluetooth/iso.c
> >> @@ -838,14 +838,14 @@ static void __iso_sock_close(struct sock *sk)
> >>       case BT_CONNECT:
> >>       case BT_CONNECTED:
> >>       case BT_CONFIG:
> >> -             if (iso_pi(sk)->conn->hcon)
> >> +             if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon)
> >>                       iso_sock_disconn(sk);
> >>               else
> >>                       iso_chan_del(sk, ECONNRESET);
> >>               break;
> >>
> >>       case BT_CONNECT2:
> >> -             if (iso_pi(sk)->conn->hcon &&
> >> +             if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon &&
> >>                   (test_bit(HCI_CONN_PA_SYNC,
> >> &iso_pi(sk)->conn->hcon->flags) ||
> >>                   test_bit(HCI_CONN_PA_SYNC_FAILED,
> >> &iso_pi(sk)->conn->hcon->flags)))
> >>                       iso_sock_disconn(sk);

Hold on since the bug is actually in the handling of BIG Sync Lost, it
has been assuming that it also means PA Sync is lost as well when that
is inform byt its own event PA Sync Lost:

https://patchwork.kernel.org/project/bluetooth/patch/20251106230943.877242-2-luiz.dentz@gmail.com/

Also note that Ive changed the handling so it no longer calls
hci_conn_del without first calling hci_disconn_cfm, since the latter
actually informs the socket layers about the imminent deletion so the
socket can go ahead and clean up properly.

> > This diff looks fine.
> >
> >
> > Kind regards,
> >
> > Paul



-- 
Luiz Augusto von Dentz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ