Commit 51b6a4db authored Jan 26, 2025 by Ignat Korchagin Committed by dinglongwei Jan 26, 2025

Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc()

stable inclusion
from stable-v6.1.120
commit ac3eaac4cf142a15fe67be747a682b1416efeb6e
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEANI
CVE: CVE-2024-56604

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ac3eaac4cf142a15fe67be747a682b1416efeb6e



--------------------------------

[ Upstream commit 3945c799f12b8d1f49a3b48369ca494d981ac465 ]

bt_sock_alloc() attaches allocated sk object to the provided sock object.
If rfcomm_dlc_alloc() fails, we release the sk object, but leave the
dangling pointer in the sock object, which may cause use-after-free.

Fix this by swapping calls to bt_sock_alloc() and rfcomm_dlc_alloc().

Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20241014153808.51894-4-ignat@cloudflare.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: dinglongwei <dinglongwei1@huawei.com>

parent 94132d4b

net/bluetooth/rfcomm/sock.c

+5 −5

Original line number	Diff line number	Diff line
		@@ -277,13 +277,13 @@ static struct sock rfcomm_sock_alloc(struct net net, struct socket *sock,
		struct rfcomm_dlc *d;
		struct sock *sk;

		sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern);
		if (!sk)
		d = rfcomm_dlc_alloc(prio);
		if (!d)
		return NULL;

		d = rfcomm_dlc_alloc(prio);
		if (!d) {
		sk_free(sk);
		sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern);
		if (!sk) {
		rfcomm_dlc_free(d);
		return NULL;
		}