lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260123102623.2318-1-hdanton@sina.com>
Date: Fri, 23 Jan 2026 18:26:22 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+9265e754091c2d27ea29@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_ready_cb (2)

> Date: Thu, 22 Jan 2026 13:45:34 -0800
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    a66191c590b3 Merge tag 'hyperv-fixes-signed-20260121' of g..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11b467fc580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
> dashboard link: https://syzkaller.appspot.com/bug?extid=9265e754091c2d27ea29
> compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=143e7f9a580000

#syz test

--- x/net/bluetooth/af_bluetooth.c
+++ y/net/bluetooth/af_bluetooth.c
@@ -226,6 +226,7 @@ void bt_accept_enqueue(struct sock *pare
 
 	list_add_tail(&bt_sk(sk)->accept_q, &bt_sk(parent)->accept_q);
 	bt_sk(sk)->parent = parent;
+	sock_hold(parent);
 
 	/* Copy credentials from parent since for incoming connections the
 	 * socket is allocated by the kernel.
@@ -258,6 +259,7 @@ void bt_accept_unlink(struct sock *sk)
 
 	list_del_init(&bt_sk(sk)->accept_q);
 	sk_acceptq_removed(bt_sk(sk)->parent);
+	sock_put(bt_sk(sk)->parent);
 	bt_sk(sk)->parent = NULL;
 	sock_put(sk);
 }
--- x/net/bluetooth/l2cap_sock.c
+++ y/net/bluetooth/l2cap_sock.c
@@ -1473,6 +1473,8 @@ static struct l2cap_chan *l2cap_sock_new
 {
 	struct sock *sk, *parent = chan->data;
 
+	if (!parent)
+		return NULL;
 	lock_sock(parent);
 
 	/* Check for backlog size */
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ