Re: KASAN: use-after-free Read in hci_chan_del

From: Greg KH
Date: Thu Jun 03 2021 - 14:36:46 EST

Next message: Borislav Petkov: "Re: [PATCH] signal/x86: Don't send SIGSEGV twice on SEGV_PKUERR"
Previous message: Jakub Kicinski: "Re: [PATCH net-next v2 0/3] Some optimization for lockless qdisc"
In reply to: SyzScope: "Re: KASAN: use-after-free Read in hci_chan_del"
Next in thread: Greg KH: "Re: KASAN: use-after-free Read in hci_chan_del"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jun 03, 2021 at 11:30:08AM -0700, SyzScope wrote:
> Hi developers,
>
> Besides the control flow hijacking primitive we sent before, we managed to
> discover an additional double free primitive in this bug, making this bug
> even more dangerous.
>
> We created a web page with detailed descriptions: https://sites.google.com/view/syzscope/kasan-use-after-free-read-in-hci_chan_del
>
> We understand that creating a patch can be time-consuming and there is
> probably a long list of bugs pending fixes. We hope that our security
> analysis can enable an informed decision on which bugs to fix first
> (prioritization).
>
> Since the bug has been on syzbot for over ten months (first found on
> 08-03-2020 and still can be triggered on 05-08-2021), it is best to have the
> bug fixed early enough to avoid it being weaponized.

Wonderful, please help out by sending a fix for this.

thanks,

greg k-h

Next message: Borislav Petkov: "Re: [PATCH] signal/x86: Don't send SIGSEGV twice on SEGV_PKUERR"
Previous message: Jakub Kicinski: "Re: [PATCH net-next v2 0/3] Some optimization for lockless qdisc"
In reply to: SyzScope: "Re: KASAN: use-after-free Read in hci_chan_del"
Next in thread: Greg KH: "Re: KASAN: use-after-free Read in hci_chan_del"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]