[PW_SID:1036548] [v3] Bluetooth: vhci: Fix slab-use-after-free by cloning skb #3237
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Hillf Danton pointed out that the root cause of the UAF issue is the lack of isolation between hci_core and vhci driver consumers. vhci_send_frame() modifies the skb (via skb_push) and queues the original skb to the readq for userspace consumption. This means the hci_core caller sees a modified skb (corrupted headers/data pointer) if it retains any reference. Furthermore, if vhci_read() frees the skb immediately, hci_core might hit a Use-After-Free. Other drivers (like btusb) create a new URB and context, isolating the skb lifetime. Fix this by cloning the skb in vhci_send_frame() before queueing. The clone is modified and queued. The original skb is freed using dev_consume_skb_any() which is safe in atomic context, satisfying the HCI driver contract to consume the skb while ensuring the queued object is distinct from the one passed by hci_core. Reported-by: syzbot+4d6b203d625d2f57d4ca@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=4d6b203d625d2f57d4ca Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hillf Danton pointed out that the root cause of the UAF issue is the
lack of isolation between hci_core and vhci driver consumers.
vhci_send_frame() modifies the skb (via skb_push) and queues the
original skb to the readq for userspace consumption. This means the
hci_core caller sees a modified skb (corrupted headers/data pointer)
if it retains any reference. Furthermore, if vhci_read() frees the
skb immediately, hci_core might hit a Use-After-Free.
Other drivers (like btusb) create a new URB and context, isolating
the skb lifetime.
Fix this by cloning the skb in vhci_send_frame() before queueing.
The clone is modified and queued. The original skb is freed using
dev_consume_skb_any() which is safe in atomic context, satisfying
the HCI driver contract to consume the skb while ensuring the queued
object is distinct from the one passed by hci_core.
Reported-by: syzbot+4d6b203d625d2f57d4ca@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4d6b203d625d2f57d4ca
Signed-off-by: Szymon Wilczek swilczek.lx@gmail.com
v3: Replaced kfree_skb() with dev_consume_skb_any() to fix sleeping
in atomic context warning reported by CI.
v2: Moved fix to vhci driver, using skb_clone to isolate ownership.
drivers/bluetooth/hci_vhci.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)