| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AJMA6ACZJsDbFlQIckIfV4oY.1.1764245763996.Hmail.2200013188@stu.pku.edu.cn> Date: Thu, 27 Nov 2025 20:16:03 +0800 (GMT+08:00) From: 李天宇 <2200013188@....pku.edu.cn> To: linux-kernel <linux-kernel@...r.kernel.org> Cc: linux-bluetooth <linux-bluetooth@...r.kernel.org>, "luiz.dentz" <luiz.dentz@...il.com>, "johan.hedberg" <johan.hedberg@...il.com>, marcel <marcel@...tmann.org>, xujiakai2025 <xujiakai2025@...as.ac.cn> Subject: [BUG] Bluetooth: slab-use-after-free in l2cap_core.c Dear maintainers, I am writing to report a slab-use-after-free bug that I found using a fuzzing framework on Linux 6.18-rc7, the mainline kernel. The bug is triggered when l2cap_chan_timeout() is called. Specifically, at line 417, the address of conn->lock is passed as a parameter, and later in kernel/locking/mutex.c:183, it is detected as a freed pointer when accessing its wait_list field. The lock field appears to be freed in l2cap_conn_free, which is linked to a refcount module in l2cap_conn_put. Based on this, I suspect that the issue may stem from an incorrect calculation of the reference count for the conn struct, which could lead to an early release of resources. Due to my limited knowledge of the kernel and the lack of further information, I am unsure if additional analysis is needed. However, I hope this report is helpful in identifying and addressing the issue. Thank you for your attention to this matter. Relevant materials: Kernel log: https://github.com/Wxm-233/KConfigFuzz_crashes/raw/refs/heads/main/fbff42b46be0692e8bd755b5914fc9ad08013590/report0 Unfortunately, I don't have repro code at this time :( Best regards
Powered by blists - more mailing lists