tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF

There is a KASAN: slab-use-after-free read in btusb_disconnect().
Calling "usb_driver_release_interface(&btusb_driver, data->intf)" will
free the btusb data associated with the interface. The same data is
then used later in the function, hence the UAF.

Fix by moving the accesses to btusb data to before the data is free'd.

Reported-by: syzbot+2fc81b50a4f8263a159b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2fc81b50a4f8263a159b
Tested-by: syzbot+2fc81b50a4f8263a159b@syzkaller.appspotmail.com
Fixes: fd913ef7ce619 ("Bluetooth: btusb: Add out-of-band wakeup support")
Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

authored by

Raphael Pinsonneault-Thibeault and committed by
Luiz Augusto von Dentz 23d22f2f 55fb52ff

+6 -7
+6 -7
drivers/bluetooth/btusb.c
··· 4361 4361 4362 4362 hci_unregister_dev(hdev); 4363 4363 4364 + if (data->oob_wake_irq) 4365 + device_init_wakeup(&data->udev->dev, false); 4366 + if (data->reset_gpio) 4367 + gpiod_put(data->reset_gpio); 4368 + 4364 4369 if (intf == data->intf) { 4365 4370 if (data->isoc) 4366 4371 usb_driver_release_interface(&btusb_driver, data->isoc); ··· 4376 4371 usb_driver_release_interface(&btusb_driver, data->diag); 4377 4372 usb_driver_release_interface(&btusb_driver, data->intf); 4378 4373 } else if (intf == data->diag) { 4379 - usb_driver_release_interface(&btusb_driver, data->intf); 4380 4374 if (data->isoc) 4381 4375 usb_driver_release_interface(&btusb_driver, data->isoc); 4376 + usb_driver_release_interface(&btusb_driver, data->intf); 4382 4377 } 4383 - 4384 - if (data->oob_wake_irq) 4385 - device_init_wakeup(&data->udev->dev, false); 4386 - 4387 - if (data->reset_gpio) 4388 - gpiod_put(data->reset_gpio); 4389 4378 4390 4379 hci_free_dev(hdev); 4391 4380 }