Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg (8f300c81) · Commits · CodeLinaro / la / kernel / msm

Commit 8f300c81 authored 1 year ago by Ricardo Robaina

Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg

JIRA: https://issues.redhat.com/browse/RHEL-20744


CVE: CVE-2023-51779

This patch is a backport of the following upstream commit:
commit 2e07e834
Author: Hyunwoo Kim <v4bel@theori.io>
Date:   Sat Dec 9 05:55:18 2023 -0500

    Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg

    This can cause a race with bt_sock_ioctl() because
    bt_sock_recvmsg() gets the skb from sk->sk_receive_queue
    and then frees it without holding lock_sock.
    A use-after-free for a skb occurs with the following flow.
    ```
    bt_sock_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
    bt_sock_ioctl() -> skb_peek()
    ```
    Add lock_sock to bt_sock_recvmsg() to fix this issue.

    Cc: stable@vger.kernel.org
    Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>

parent 148bb58d

No related branches found

No related tags found

Hide whitespace changes

Inline Side-by-side

Showing with 6 additions and 1 deletion

CodeLinaro @codelinaro
mentioned in commit 50da2e92
· 1 year ago

mentioned in commit 50da2e92

mentioned in commit 50da2e924de4b3225213142195a123763fad625c

Toggle commit list

Please register or to comment