Bluetooth: use correct lock to prevent UAF of hdev object

commit e305509e678b3a4af2b3cfd410f409f7cdaabb52 upstream. The hci_sock_dev_event() function will cleanup the hdev object for sockets even if this object may still be in used within the hci_sock_bound_ioctl() function, result in UAF vulnerability. This patch replace the BH context lock to serialize these affairs and prevent the race condition. Signed-off-by: Lin Ma <linma@zju.edu.cn> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Lin Ma <linma@zju.edu.cn> 2021-05-30 21:37:43 +0800
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-06-10 12:41:35 +0200
commit: 2260759b5300865dc209150e925aaeb9df758630 (patch)
tree: 6b909ba04933db3ad2b376b8eb499a7502fa1496
parent: 054b0b4f9bf86baac0774e1ea38f4b65497089e5 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index ea1cd8b21708..4ab69f6e910f 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -483,7 +483,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)
 		/* Detach sockets from device */
 		read_lock(&hci_sk_list.lock);
 		sk_for_each(sk, &hci_sk_list.head) {
-			bh_lock_sock_nested(sk);
+			lock_sock(sk);
 			if (hci_pi(sk)->hdev == hdev) {
 				hci_pi(sk)->hdev = NULL;
 				sk->sk_err = EPIPE;
@@ -492,7 +492,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)
 
 				hci_dev_put(hdev);
 			}
-			bh_unlock_sock(sk);
+			release_sock(sk);
 		}
 		read_unlock(&hci_sk_list.lock);
 	}
author	Lin Ma <linma@zju.edu.cn>	2021-05-30 21:37:43 +0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-06-10 12:41:35 +0200
commit	2260759b5300865dc209150e925aaeb9df758630 (patch)
tree	6b909ba04933db3ad2b376b8eb499a7502fa1496
parent	054b0b4f9bf86baac0774e1ea38f4b65497089e5 (diff)