Bluetooth: Fix double free in hci_conn_cleanup (!3256) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Bastien Nocera requested to merge bnocera/centos-stream-9:wip/hadess/RHEL-2558 into main Oct 23, 2023

JIRA: https://issues.redhat.com/browse/RHEL-2558

CVE: CVE-2023-28464

commit a85fb91e3d728bdfc80833167e8162cce8bc7004
Author: ZhengHan Wang <wzhmmmmm@gmail.com>
Date:   Wed Oct 18 12:30:55 2023 +0200

    Bluetooth: Fix double free in hci_conn_cleanup

    syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
    After releasing an object using hci_conn_del_sysfs in the
    hci_conn_cleanup function, releasing the same object again
    using the hci_dev_put and hci_conn_put functions causes a double free.
    Here's a simplified flow:

    hci_conn_del_sysfs:
      hci_dev_put
        put_device
          kobject_put
            kref_put
              kobject_release
                kobject_cleanup
                  kfree_const
                    kfree(name)

    hci_dev_put:
      ...
        kfree(name)

    hci_conn_put:
      put_device
        ...
          kfree(name)

    This patch drop the hci_dev_put and hci_conn_put function
    call in hci_conn_cleanup function, because the object is
    freed in hci_conn_del_sysfs function.

    This patch also fixes the refcounting in hci_conn_add_sysfs() and
    hci_conn_del_sysfs() to take into account device_add() failures.

    This fixes CVE-2023-28464.

    Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]

    Signed-off-by: ZhengHan Wang <wzhmmmmm@gmail.com>
    Co-developed-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Signed-off-by: Bastien Nocera bnocera@redhat.com

Edited Nov 29, 2023 by Bastien Nocera

Admin message

Bluetooth: Fix double free in hci_conn_cleanup

Merge request reports