Unverified Commit 400eaf3b authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!14156 Bluetooth: Fix CVE-2024-50125 

Merge Pull Request from: @ci-robot 
 
PR sync from: Dong Chenchen <dongchenchen2@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/266722PV2XXMZLHCORIGKZV2EVXY4YBK/ 
Fix CVE-2024-50125

Desmond Cheong Zhi Xi (1):
  Bluetooth: call sock_hold earlier in sco_conn_del

Luiz Augusto von Dentz (1):
  Bluetooth: SCO: Fix UAF on sco_sock_timeout


-- 
2.25.1
 
https://gitee.com/src-openeuler/kernel/issues/IB2BXB 
 
Link:https://gitee.com/openeuler/kernel/pulls/14156

 

Reviewed-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
Reviewed-by: default avatarYuan Can <yuancan@huawei.com>
Signed-off-by: default avatarYuan Can <yuancan@huawei.com>
parents a3c34bec ca673429

include/net/bluetooth/bluetooth.h

+1 −0
Original line number Diff line number Diff line
@@ -267,6 +267,7 @@ int bt_sock_register(int proto, const struct net_proto_family *ops); 
void bt_sock_unregister(int proto);

void bt_sock_link(struct bt_sock_list *l, struct sock *s);

void bt_sock_unlink(struct bt_sock_list *l, struct sock *s);

bool bt_sock_linked(struct bt_sock_list *l, struct sock *s);

int  bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,

		     int flags);

int  bt_sock_stream_recvmsg(struct socket *sock, struct msghdr *msg,

net/bluetooth/af_bluetooth.c

+22 −0
Original line number Diff line number Diff line
@@ -154,6 +154,28 @@ void bt_sock_unlink(struct bt_sock_list *l, struct sock *sk) 
}

EXPORT_SYMBOL(bt_sock_unlink);



bool bt_sock_linked(struct bt_sock_list *l, struct sock *s)

{

	struct sock *sk;



	if (!l || !s)

		return false;



	read_lock(&l->lock);



	sk_for_each(sk, &l->head) {

		if (s == sk) {

			read_unlock(&l->lock);

			return true;

		}

	}



	read_unlock(&l->lock);



	return false;

}

EXPORT_SYMBOL(bt_sock_linked);



void bt_accept_enqueue(struct sock *parent, struct sock *sk, bool bh)

{

	BT_DBG("parent %p, sk %p", parent, sk);

net/bluetooth/sco.c

+12 −5
Original line number Diff line number Diff line
@@ -75,6 +75,16 @@ struct sco_pinfo { 
#define SCO_CONN_TIMEOUT	(HZ * 40)

#define SCO_DISCONN_TIMEOUT	(HZ * 2)



static struct sock *sco_sock_hold(struct sco_conn *conn)

{

	if (!conn || !bt_sock_linked(&sco_sk_list, conn->sk))

		return NULL;



	sock_hold(conn->sk);



	return conn->sk;

}



static void sco_sock_timeout(struct work_struct *work)

{

	struct sco_conn *conn = container_of(work, struct sco_conn,
@@ -86,9 +96,7 @@ static void sco_sock_timeout(struct work_struct *work) 
		sco_conn_unlock(conn);

		return;

	}

	sk = conn->sk;

	if (sk)

		sock_hold(sk);

	sk = sco_sock_hold(conn);

	sco_conn_unlock(conn);



	if (!sk)
@@ -191,11 +199,10 @@ static void sco_conn_del(struct hci_conn *hcon, int err) 


	/* Kill socket */

	sco_conn_lock(conn);

	sk = conn->sk;

	sk = sco_sock_hold(conn);

	sco_conn_unlock(conn);



	if (sk) {

		sock_hold(sk);

		lock_sock(sk);

		sco_sock_clear_timer(sk);

		sco_chan_del(sk, err);