superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/net/bluetooth
History
Safa Karakuş ab1513597c Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() 
bt_accept_dequeue() unlinks a not-yet-accepted child from the parent
accept queue and release_sock()s it before returning, so the returned
sk has no caller reference and is unlocked.

l2cap_sock_cleanup_listen() walks these children on listening-socket
close.  A concurrent HCI disconnect drives hci_rx_work ->
l2cap_conn_del() which runs l2cap_chan_del() + l2cap_sock_kill() and
frees the child sk and its l2cap_chan; cleanup_listen() then uses both:

  BUG: KASAN: slab-use-after-free in l2cap_sock_kill
    l2cap_sock_kill / l2cap_sock_cleanup_listen / __x64_sys_close
  Freed by: l2cap_conn_del -> l2cap_sock_close_cb -> l2cap_sock_kill

This is distinct from the two fixes already in this area: commit
e83f5e24da ("Bluetooth: serialize accept_q access") serialises the
accept_q list/poll and takes temporary refs inside bt_accept_dequeue(),
and CVE-2025-39860 serialises the userspace close()/accept() race by
calling cleanup_listen() under lock_sock() in l2cap_sock_release().
Neither covers l2cap_conn_del() running from hci_rx_work, so this UAF
still reproduces on current bluetooth/master.

Take the reference at the source: bt_accept_dequeue() does sock_hold()
while sk is still locked, before release_sock(); callers sock_put().
cleanup_listen() pins the chan with l2cap_chan_hold_unless_zero() under
a brief child sk lock (serialising vs l2cap_sock_teardown_cb()), drops
it before l2cap_chan_lock(), and skips a duplicate l2cap_sock_kill() on
SOCK_DEAD.  conn->lock is not taken here: cleanup_listen() runs under
the parent sk lock and that would invert
conn->lock -> chan->lock -> sk_lock (lockdep).

KASAN/SMP: an unprivileged listen/close vs HCI-disconnect race produced
12 use-after-free reports per run before this change; 0, and no lockdep
report, over 1600+ raced iterations after it on bluetooth/master.

Fixes: 15f02b9105 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Cc: stable@vger.kernel.org
Reported-by: Siwei Zhang <oss@fourdim.xyz>
Reviewed-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Safa Karakuş <safa.karakus@secunnix.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
 		2026-05-20 16:35:47 -04:00
..
bnep Bluetooth: bnep: Fix UAF read of dev->name 2026-05-20 16:35:47 -04:00
hidp Bluetooth: HIDP: serialise l2cap_unregister_user via hidp_session_sem 2026-05-06 16:27:53 -04:00
rfcomm Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() 2026-05-20 16:35:47 -04:00
6lowpan.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
Kconfig net: remove ISDN subsystem and Bluetooth CMTP 2026-04-23 10:24:02 -07:00
Makefile net: remove ISDN subsystem and Bluetooth CMTP 2026-04-23 10:24:02 -07:00
af_bluetooth.c Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() 2026-05-20 16:35:47 -04:00
aosp.c Bluetooth: aosp: Fix typo in comment 2025-07-23 10:30:18 -04:00
aosp.h
coredump.c Bluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv 2025-07-23 10:33:57 -04:00
ecdh_helper.c Bluetooth: Use crypto_wait_req 2023-02-13 18:34:48 +08:00
ecdh_helper.h
eir.c Bluetooth: eir: Fix possible crashes on eir_create_adv_data 2025-06-11 16:29:22 -04:00
eir.h Bluetooth: eir: Fix possible crashes on eir_create_adv_data 2025-06-11 16:29:22 -04:00
hci_codec.c Bluetooth: Fix support for Read Local Supported Codecs V2 2022-12-02 13:09:31 -08:00
hci_codec.h
hci_conn.c Bluetooth: l2cap: defer conn param update to avoid conn->lock/hdev->lock inversion 2026-05-06 16:20:51 -04:00
hci_core.c Bluetooth: hci_core: Rate limit the logging of invalid ISO handle 2026-04-10 10:20:04 -04:00
hci_debugfs.c Bluetooth: hci_dev: replace 'quirks' integer by 'quirk_flags' bitmap 2025-07-16 15:37:53 -04:00
hci_debugfs.h
hci_drv.c Bluetooth: Introduce HCI Driver protocol 2025-05-21 10:28:07 -04:00
hci_event.c Bluetooth: hci_event: fix memset typo 2026-05-06 16:27:29 -04:00
hci_sock.c Bluetooth: purge error queues in socket destructors 2026-02-23 15:30:16 -05:00
hci_sync.c Bluetooth: hci_sync: Fix not setting mask for HCI_EVT_LE_ALL_REMOTE_FEATURES_COMPLETE 2026-05-20 16:35:47 -04:00
hci_sysfs.c Bluetooth: Allow reset via sysfs 2025-01-15 10:37:07 -05:00
iso.c Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() 2026-05-20 16:35:47 -04:00
l2cap_core.c Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer 2026-05-14 09:57:45 -04:00
l2cap_sock.c Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() 2026-05-20 16:35:47 -04:00
leds.c Bluetooth: Use led_set_brightness() in LED trigger activate() callback 2024-09-10 13:06:11 -04:00
leds.h
lib.c Bluetooth: Fix typos in comments 2025-07-23 10:30:48 -04:00
mgmt.c Bluetooth: MGMT: validate Add Extended Advertising Data length 2026-05-20 16:35:47 -04:00
mgmt_config.c Bluetooth: mgmt: Add idle_timeout to configurable system parameters 2026-01-29 13:24:22 -05:00
mgmt_config.h
mgmt_util.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
mgmt_util.h Bluetooth: MGMT: Fix possible UAFs 2025-09-22 10:30:00 -04:00
msft.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
msft.h Bluetooth: msft: fix slab-use-after-free in msft_do_close() 2024-05-03 13:05:28 -04:00
sco.c Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() 2026-05-20 16:35:47 -04:00
selftest.c
selftest.h
smp.c Bluetooth: SMP: derive legacy responder STK authentication from MITM state 2026-04-01 16:48:06 -04:00
smp.h Bluetooth: SMP: If an unallowed command is received consider it a failure 2025-07-16 15:33:30 -04:00