[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH_BBqfO2dUX+H7RAUDfPJUG=oofYP9+SLJU07MUWkW8CW6Huw@mail.gmail.com>
Date: Sat, 30 Nov 2024 16:32:17 +0800
From: tianshu qiu <jimuchutianshu97@...il.com>
To: Solar Designer <solar@...nwall.com>
Cc: oss-security@...ts.openwall.com,
Luiz Augusto von Dentz <luiz.dentz@...il.com>, Marcel Holtmann <marcel@...tmann.org>,
Johan Hedberg <johan.hedberg@...il.com>
Subject: Re: Linux: Race can lead to UAF in net/bluetooth/sco.c:
sco_sock_connect()
The diagrams needs to be displayed correctly in full screen. The
diagrams above are correct. The second diagram is the timeline for race.
After careful analysis and debugging,i guess the commit:
https://github.com/torvalds/linux/commit/e6720779ae612a14ac4ba7fe4fd5b27d900d932c
has solved the UAF.
The introduction of kref object ensures the dangling sco_conn object being
freed in the function sco_conn_del when asynchronous hci event thread is
invoked, which stops
the subsequent exploit chain.
I'm not sure if this commit is related to the email I sent, because i sent
the first email to security@...nel.org on November 14th, and the commit
was on November 15th.
On Sat, Nov 30, 2024 at 1:46 PM Solar Designer <solar@...nwall.com> wrote:
> On Sat, Nov 30, 2024 at 01:18:18PM +0800, tianshu qiu wrote:
> > The bug was introduced on Apr 11, 2023:
> >
> https://github.com/torvalds/linux/commit/9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3
> > The latest affected version is Linux-6.11.5
>
> I guess you actually mean the latest _known_ affected? So later
> versions may also be affected, but you haven't confirmed that?
>
> There were a couple of very wide diagrams in your message, which were
> not properly formatted in its text/plain part. The below is my attempt
> at resurrecting them from the text/html part (normally filtered out when
> relaying through this mailing list), but a very wide window is still
> needed to view them properly.
>
> First:
>
>
> ==============================================================================
> sco_sock_timeout Register Thread
> sco_sock_timeout Cancelled Thread
>
> # sco_sock_connect
> # sco_connect
> # sco_sock_set_timer
> #hci_rx_work
>
> # hci_event_packet
>
> # hci_event_func
>
> # hci_conn_complete_evt
>
> # hci_sco_setup
>
> # hci_connect_cfm
>
> # sco_connect_cfm
>
> # sco_conn_del
>
> # sco_sock_clear_timer
>
> # cancel_delayed_work
>
> ==============================================================================
>
> Second:
>
>
> =============================================================================================================================================================================
> main thread
> thread 1
>
> thread 2
> # fd = socket(AF_BLUETOOTH,
> SOCK_SEQPACKET | SOCK_NONBLOCK ,
> BTPROTO_SCO)
>
> # sco_sock_connect
>
> # sco_sock_connect
>
> # sco_connect
>
> # sco_connect
>
> # hci_connect_sco
>
> # hci_connect_sco
>
> # hci_connect_acl
>
> # hci_connect_acl
>
> # hci_acl_create_connection
> #
> hci_acl_create_connection
>
> # hci_send_cmd(hdev,
> HCI_OP_CREATE_CONN, sizeof(cp), &cp); #
> hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
>
> # hci_conn_complete_evt (Asynchronous HCI
> events)
>
> # close(fd)
> # struct sock is freed
>
>
>
> # hci_conn_complete_evt (Asynchronous HCI events)
>
>
>
> # ..........
>
>
>
> # sco_conn_del
>
>
> Deference freed "struct sock". -----------------> #
> sock_hold(sk)
>
> =============================================================================================================================================================================
>
> Alexander
>
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
