From 636a7deabf46fc52a7910e41c09b6cc8bcc3caff Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Apr 13 2023 07:01:54 +0000 Subject: Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work (CVE-2023-1989 bsc#1210336). --- diff --git a/patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch b/patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch new file mode 100644 index 0000000..3988918 --- /dev/null +++ b/patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch @@ -0,0 +1,38 @@ +From 1e9ac114c4428fdb7ff4635b45d4f46017e8916f Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Thu, 9 Mar 2023 16:07:39 +0800 +Subject: [PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work +Git-commit: 1e9ac114c4428fdb7ff4635b45d4f46017e8916f +Patch-mainline: v6.3-rc4 +References: CVE-2023-1989 bsc#1210336 + +In btsdio_probe, &data->work was bound with btsdio_work.In +btsdio_send_frame, it was started by schedule_work. + +If we call btsdio_remove with an unfinished job, there may +be a race condition and cause UAF bug on hdev. + +Fixes: ddbaf13e3609 ("[Bluetooth] Add generic driver for Bluetooth SDIO devices") +Signed-off-by: Zheng Wang +Signed-off-by: Luiz Augusto von Dentz +Acked-by: Takashi Iwai + +--- + drivers/bluetooth/btsdio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c +index 795be33f2892..02893600db39 100644 +--- a/drivers/bluetooth/btsdio.c ++++ b/drivers/bluetooth/btsdio.c +@@ -354,6 +354,7 @@ static void btsdio_remove(struct sdio_func *func) + + BT_DBG("func %p", func); + ++ cancel_work_sync(&data->work); + if (!data) + return; + +-- +2.35.3 + diff --git a/series.conf b/series.conf index 74d7d56..e2e8b9f 100644 --- a/series.conf +++ b/series.conf @@ -26848,6 +26848,7 @@ patches.suse/tap-tap_open-correctly-initialize-socket-uid.patch patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch patches.suse/nfc-st-nci-Fix-use-after-free-bug-in-ndlc_remove-due.patch + patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch # dhowells/linux-fs keys-uefi patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch