Skip to content

[fips 9.2] Bluetooth: Fix double free in hci_conn_cleanup #461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 1, 2025
Merged

[fips 9.2] Bluetooth: Fix double free in hci_conn_cleanup #461

merged 1 commit into from
Aug 1, 2025

Conversation

jainanmol84
Copy link

  • Commit Message Requirements
  • Built against Vault/LTS Environment
  • kABI Check Passed, where Valid (Pre 9.4 RT does not have kABI stability)
  • Boot Test
  • Kernel SelfTest results
  • Additional Tests as determined relevant

Commit message

jira VULN-8810
cve CVE-2023-28464
commit-author ZhengHan Wang <[email protected]>
commit a85fb91e3d728bdfc80833167e8162cce8bc7004

syzbot reports a slab use-after-free in hci_conn_hash_flush [1]. After releasing an object using hci_conn_del_sysfs in the hci_conn_cleanup function, releasing the same object again using the hci_dev_put and hci_conn_put functions causes a double free. Here's a simplified flow:

hci_conn_del_sysfs:
  hci_dev_put
    put_device
      kobject_put
        kref_put
          kobject_release
            kobject_cleanup
              kfree_const
                kfree(name)

hci_dev_put:
  ...
    kfree(name)

hci_conn_put:
  put_device
    ...
      kfree(name)

This patch drop the hci_dev_put and hci_conn_put function call in hci_conn_cleanup function, because the object is freed in hci_conn_del_sysfs function.

This patch also fixes the refcounting in hci_conn_add_sysfs() and hci_conn_del_sysfs() to take into account device_add() failures.

This fixes CVE-2023-28464.

Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]

	Signed-off-by: ZhengHan Wang <[email protected]>
Co-developed-by: Luiz Augusto von Dentz <[email protected]>
	Signed-off-by: Luiz Augusto von Dentz <[email protected]>
(cherry picked from commit a85fb91e3d728bdfc80833167e8162cce8bc7004)
	Signed-off-by: Anmol Jain <[email protected]>

Kernel build logs

/home/anmol/kernel-src-tree
Running make mrproper...
[TIMER]{MRPROPER}: 2s
x86_64 architecture detected, copying config
'configs/kernel-x86_64-rhel.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-_ajain_fips-9-compliant_5.14.0-284.30.1-e38f31148"
Making olddefconfig
  HOSTCC  scripts/basic/fixdep
  HOSTCC  scripts/kconfig/conf.o
  HOSTCC  scripts/kconfig/confdata.o
  HOSTCC  scripts/kconfig/expr.o
  LEX     scripts/kconfig/lexer.lex.c
  YACC    scripts/kconfig/parser.tab.[ch]
  HOSTCC  scripts/kconfig/lexer.lex.o
  HOSTCC  scripts/kconfig/menu.o
  HOSTCC  scripts/kconfig/parser.tab.o
  HOSTCC  scripts/kconfig/preprocess.o
  HOSTCC  scripts/kconfig/symbol.o
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_64.h
  WRAP    arch/x86/include/generated/uapi/asm/bpf_perf_event.h
  WRAP    arch/x86/include/generated/uapi/asm/errno.h
  WRAP    arch/x86/include/generated/uapi/asm/fcntl.h
  WRAP    arch/x86/include/generated/uapi/asm/ioctl.h
  WRAP    arch/x86/include/generated/uapi/asm/ioctls.h
  WRAP    arch/x86/include/generated/uapi/asm/ipcbuf.h
  WRAP    arch/x86/include/generated/uapi/asm/param.h
  WRAP    arch/x86/include/generated/uapi/asm/poll.h
  WRAP    arch/x86/include/generated/uapi/asm/resource.h
  WRAP    arch/x86/include/generated/uapi/asm/socket.h
[--snip--]
  SIGN    /lib/modules/5.14.0-_ajain_fips-9-compliant_5.14.0-284.30.1-e38f31148+/kernel/sound/virtio/virtio_snd.ko
  STRIP   /lib/modules/5.14.0-_ajain_fips-9-compliant_5.14.0-284.30.1-e38f31148+/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  SIGN    /lib/modules/5.14.0-_ajain_fips-9-compliant_5.14.0-284.30.1-e38f31148+/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  INSTALL /lib/modules/5.14.0-_ajain_fips-9-compliant_5.14.0-284.30.1-e38f31148+/kernel/sound/xen/snd_xen_front.ko
  STRIP   /lib/modules/5.14.0-_ajain_fips-9-compliant_5.14.0-284.30.1-e38f31148+/kernel/sound/xen/snd_xen_front.ko
  INSTALL /lib/modules/5.14.0-_ajain_fips-9-compliant_5.14.0-284.30.1-e38f31148+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/5.14.0-_ajain_fips-9-compliant_5.14.0-284.30.1-e38f31148+/kernel/sound/xen/snd_xen_front.ko
  STRIP   /lib/modules/5.14.0-_ajain_fips-9-compliant_5.14.0-284.30.1-e38f31148+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/5.14.0-_ajain_fips-9-compliant_5.14.0-284.30.1-e38f31148+/kernel/virt/lib/irqbypass.ko
  DEPMOD  /lib/modules/5.14.0-_ajain_fips-9-compliant_5.14.0-284.30.1-e38f31148+
[TIMER]{MODULES}: 15s
Making Install
sh ./arch/x86/boot/install.sh \
	5.14.0-_ajain_fips-9-compliant_5.14.0-284.30.1-e38f31148+ arch/x86/boot/bzImage \
	System.map "/boot"
[TIMER]{INSTALL}: 38s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-_ajain_fips-9-compliant_5.14.0-284.30.1-c624b962d+ and Index to 3
The default is /boot/loader/entries/65b5ae363fe94129b0075258ce5a010a-5.14.0-_ajain_fips-9-compliant_5.14.0-284.30.1-c624b962d+.conf with index 3 and kernel /boot/vmlinuz-5.14.0-_ajain_fips-9-compliant_5.14.0-284.30.1-c624b962d+
The default is /boot/loader/entries/65b5ae363fe94129b0075258ce5a010a-5.14.0-_ajain_fips-9-compliant_5.14.0-284.30.1-c624b962d+.conf with index 3 and kernel /boot/vmlinuz-5.14.0-_ajain_fips-9-compliant_5.14.0-284.30.1-c624b962d+
Generating grub configuration file ...
Adding boot menu entry for UEFI Firmware Settings ...
done
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 2s
[TIMER]{BUILD}: 2937s
[TIMER]{MODULES}: 15s
[TIMER]{INSTALL}: 38s
[TIMER]{TOTAL} 2997s
Rebooting in 10 seconds

kernel-build.log

Kselftests

$ grep '^ok ' kselftest-before.log | wc -l && grep '^ok ' kselftest-after.log | wc -l
317
317
$ grep '^not ok ' kselftest-before.log | wc -l && grep '^not ok ' kselftest-after.log | wc -l
66
66

kselftest-after.log
kselftest-before.log

@jainanmol84
Bluetooth: Fix double free in hci_conn_cleanup
e38f311 
jira VULN-8810
cve CVE-2023-28464
commit-author ZhengHan Wang <[email protected]>
commit a85fb91

syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
After releasing an object using hci_conn_del_sysfs in the
hci_conn_cleanup function, releasing the same object again
using the hci_dev_put and hci_conn_put functions causes a double free.
Here's a simplified flow:

hci_conn_del_sysfs:
  hci_dev_put
    put_device
      kobject_put
        kref_put
          kobject_release
            kobject_cleanup
              kfree_const
                kfree(name)

hci_dev_put:
  ...
    kfree(name)

hci_conn_put:
  put_device
    ...
      kfree(name)

This patch drop the hci_dev_put and hci_conn_put function
call in hci_conn_cleanup function, because the object is
freed in hci_conn_del_sysfs function.

This patch also fixes the refcounting in hci_conn_add_sysfs() and
hci_conn_del_sysfs() to take into account device_add() failures.

This fixes CVE-2023-28464.

Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]

	Signed-off-by: ZhengHan Wang <[email protected]>
Co-developed-by: Luiz Augusto von Dentz <[email protected]>
	Signed-off-by: Luiz Augusto von Dentz <[email protected]>
(cherry picked from commit a85fb91)
	Signed-off-by: Anmol Jain <[email protected]>
Copilot

This comment was marked as off-topic.

Sign in to view

@ctrliq ctrliq deleted a comment from Copilot AI Aug 1, 2025
PlaidCat
PlaidCat approved these changes Aug 1, 2025
View reviewed changes
Copy link
Collaborator

@PlaidCat PlaidCat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

bmastbergen
bmastbergen approved these changes Aug 1, 2025
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@jainanmol84 jainanmol84 merged commit 6f6a913 into fips-9-compliant/5.14.0-284.30.1 Aug 1, 2025
2 checks passed
@jainanmol84 jainanmol84 deleted the _ajain_fips-9-compliant/5.14.0-284.30.1 branch August 1, 2025 16:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@PlaidCat PlaidCat PlaidCat approved these changes

@bmastbergen bmastbergen bmastbergen approved these changes

@thefossguy-ciq thefossguy-ciq Awaiting requested review from thefossguy-ciq

@shreeya-patel98 shreeya-patel98 Awaiting requested review from shreeya-patel98

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jainanmol84 @PlaidCat @bmastbergen