diff --git a/patches.suse/Bluetooth-Fix-double-free-in-hci_conn_cleanup.patch b/patches.suse/Bluetooth-Fix-double-free-in-hci_conn_cleanup.patch new file mode 100644 index 0000000..b478c34 --- /dev/null +++ b/patches.suse/Bluetooth-Fix-double-free-in-hci_conn_cleanup.patch @@ -0,0 +1,59 @@ +From: ZhengHan Wang +To: marcel@holtmann.org, johan.hedberg@gmail.com, luiz.dentz@gmail.com +Cc: linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, + linux-kernel@vger.kernel.org, ZhengHan Wang +Subject: [PATCH] Bluetooth: Fix double free in hci_conn_cleanup +Date: Thu, 9 Mar 2023 15:46:45 +0800 +Patch-mainline: Not yet, reviewing on upstream +References: bsc#1209052 CVE-2023-28464 + +syzbot reports a slab use-after-free in hci_conn_hash_flush [1]. +After releasing an object using hci_conn_del_sysfs in the +hci_conn_cleanup function, releasing the same object again +using the hci_dev_put and hci_conn_put functions causes a double free. +Here's a simplified flow: + +hci_conn_del_sysfs: + hci_dev_put + put_device + kobject_put + kref_put + kobject_release + kobject_cleanup + kfree_const + kfree(name) + +hci_dev_put: + ... + kfree(name) + +hci_conn_put: + put_device + ... + kfree(name) + +This patch drop the hci_dev_put and hci_conn_put function +call in hci_conn_cleanup function, because the object is +freed in hci_conn_del_sysfs function. + +Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1] + +Signed-off-by: ZhengHan Wang +Acked-by: Lee, Chun-Yi +--- + net/bluetooth/hci_conn.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -128,10 +128,6 @@ static void hci_conn_cleanup(struct hci_ + hci_conn_del_sysfs(conn); + + debugfs_remove_recursive(conn->debugfs); +- +- hci_dev_put(hdev); +- +- hci_conn_put(conn); + } + + static void le_scan_cleanup(struct work_struct *work) diff --git a/series.conf b/series.conf index b0f7574..a074c52 100644 --- a/series.conf +++ b/series.conf @@ -23457,6 +23457,10 @@ patches.suse/r8169-Revive-default-chip-version-for-r8168.patch patches.suse/bsc1170284-ixgbe_dont_check_firmware_errors.patch + # Bluetooth + # Bug 1209052 - CVE-2023-28464: kernel-source: double free in hci_conn_cleanup() + patches.suse/Bluetooth-Fix-double-free-in-hci_conn_cleanup.patch + ######################################################## # Wireless networking drivers ########################################################