[v2,2/2] Bluetooth: ISO: Fix UAF on iso_sock_timeout

Message ID	20241022203421.2126673-2-luiz.dentz@gmail.com (mailing list archive)
State	Accepted
Commit	fb4560832d4c91d73680538d6659ac2c024ec9d5
Headers	show Received: from mail-vk1-f172.google.com (mail-vk1-f172.google.com [209.85.221.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 679251CC15D for <linux-bluetooth@vger.kernel.org>; Tue, 22 Oct 2024 20:34:29 +0000 (UTC) From: Luiz Augusto von Dentz <luiz.dentz@gmail.com> To: linux-bluetooth@vger.kernel.org Subject: [PATCH v2 2/2] Bluetooth: ISO: Fix UAF on iso_sock_timeout Date: Tue, 22 Oct 2024 16:34:21 -0400 Message-ID: <20241022203421.2126673-2-luiz.dentz@gmail.com> In-Reply-To: <20241022203421.2126673-1-luiz.dentz@gmail.com> References: <20241022203421.2126673-1-luiz.dentz@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[v2,1/2] Bluetooth: SCO: Fix UAF on sco_sock_timeout \| expand [v2,1/2] Bluetooth: SCO: Fix UAF on sco_sock_timeout [v2,2/2] Bluetooth: ISO: Fix UAF on iso_sock_timeout

Message ID

20241022203421.2126673-2-luiz.dentz@gmail.com (mailing list archive)

State

Accepted

Commit

fb4560832d4c91d73680538d6659ac2c024ec9d5

Headers

From: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH v2 2/2] Bluetooth: ISO: Fix UAF on iso_sock_timeout
Date: Tue, 22 Oct 2024 16:34:21 -0400
Message-ID: <20241022203421.2126673-2-luiz.dentz@gmail.com>
In-Reply-To: <20241022203421.2126673-1-luiz.dentz@gmail.com>
References: <20241022203421.2126673-1-luiz.dentz@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[v2,1/2] Bluetooth: SCO: Fix UAF on sco_sock_timeout | expand

Checks

Context	Check	Description
tedd_an/pre-ci_am	success	Success
tedd_an/CheckPatch	success	CheckPatch PASS
tedd_an/GitLint	success	Gitlint PASS
tedd_an/SubjectPrefix	success	Gitlint PASS

Context

Check

Description

tedd_an/pre-ci_am

success

Success

tedd_an/CheckPatch

success

CheckPatch PASS

tedd_an/GitLint

success

Gitlint PASS

tedd_an/SubjectPrefix

success

Gitlint PASS

Commit Message

Luiz Augusto von Dentz Oct. 22, 2024, 8:34 p.m. UTC

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

conn->sk maybe have been unlinked/freed while waiting for iso_conn_lock
so this checks if the conn->sk is still valid by checking if it part of
iso_sk_list.

Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
 net/bluetooth/iso.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index c9eefb43bf47..7a83e400ac77 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -93,6 +93,16 @@  static struct sock *iso_get_sock(bdaddr_t *src, bdaddr_t *dst,
 #define ISO_CONN_TIMEOUT	(HZ * 40)
 #define ISO_DISCONN_TIMEOUT	(HZ * 2)
 
+static struct sock *iso_sock_hold(struct iso_conn *conn)
+{
+	if (!conn || !bt_sock_linked(&iso_sk_list, conn->sk))
+		return NULL;
+
+	sock_hold(conn->sk);
+
+	return conn->sk;
+}
+
 static void iso_sock_timeout(struct work_struct *work)
 {
 	struct iso_conn *conn = container_of(work, struct iso_conn,
@@ -100,9 +110,7 @@  static void iso_sock_timeout(struct work_struct *work)
 	struct sock *sk;
 
 	iso_conn_lock(conn);
-	sk = conn->sk;
-	if (sk)
-		sock_hold(sk);
+	sk = iso_sock_hold(conn);
 	iso_conn_unlock(conn);
 
 	if (!sk)
@@ -209,9 +217,7 @@  static void iso_conn_del(struct hci_conn *hcon, int err)
 
 	/* Kill socket */
 	iso_conn_lock(conn);
-	sk = conn->sk;
-	if (sk)
-		sock_hold(sk);
+	sk = iso_sock_hold(conn);
 	iso_conn_unlock(conn);
 
 	if (sk) {