lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251115004456.9309-1-hdanton@sina.com>
Date: Sat, 15 Nov 2025 08:44:55 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+a1595e656a83ea5b78eb@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in bt_accept_unlink

> Date: Fri, 14 Nov 2025 15:12:26 -0800
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    db9030a787e3 Merge remote-tracking branch 'will/for-next/p..
> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> console output: https://syzkaller.appspot.com/x/log.txt?x=13645c12580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=fdc83aa8a8b9d1ae
> dashboard link: https://syzkaller.appspot.com/bug?extid=a1595e656a83ea5b78eb
> compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> userspace arch: arm64
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12cb37cd980000

#syz test

--- x/net/bluetooth/af_bluetooth.c
+++ y/net/bluetooth/af_bluetooth.c
@@ -256,6 +256,8 @@ void bt_accept_unlink(struct sock *sk)
 {
 	BT_DBG("sk %p state %d", sk, sk->sk_state);
 
+	if (bt_sk(sk)->parent == NULL)
+		return;
 	list_del_init(&bt_sk(sk)->accept_q);
 	sk_acceptq_removed(bt_sk(sk)->parent);
 	bt_sk(sk)->parent = NULL;
--- x/net/bluetooth/l2cap_sock.c
+++ y/net/bluetooth/l2cap_sock.c
@@ -1581,6 +1581,7 @@ static void l2cap_sock_teardown_cb(struc
 
 	if (!sk)
 		return;
+	sock_hold(sk);
 
 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
 
@@ -1613,8 +1614,14 @@ static void l2cap_sock_teardown_cb(struc
 		sk->sk_err = err;
 
 		if (parent) {
+			sock_hold(parent);
+			release_sock(sk);
+			lock_sock(parent);
 			bt_accept_unlink(sk);
+			release_sock(parent);
 			parent->sk_data_ready(parent);
+			sock_put(parent);
+			goto zap;
 		} else {
 			sk->sk_state_change(sk);
 		}
@@ -1623,9 +1630,10 @@ static void l2cap_sock_teardown_cb(struc
 	}
 	release_sock(sk);
 
+zap:
 	/* Only zap after cleanup to avoid use after free race */
 	sock_set_flag(sk, SOCK_ZAPPED);
-
+	sock_put(sk);
 }
 
 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ