Created attachment 224936 [details] add goto out if ng_hci_lp_con_ind() error. Bug File: sys/netgraph/bluetooth/hci/ng_hci_evnt.c In function le_connection_complete, con is freed via ng_hci_free_con(con) at line 530. But the freed con is still used later. This free operation performs if an error happened in ng_hci_lp_con_ind(), i think the developer forgot to goto out branch and cause this uaf. My patch fixs this error.
https://reviews.freebsd.org/D30454
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=14803ec8d193d8d46f4137a7dba61b277c6a2fed commit 14803ec8d193d8d46f4137a7dba61b277c6a2fed Author: Takanori Watanabe <takawata@FreeBSD.org> AuthorDate: 2021-05-26 09:23:33 +0000 Commit: Takanori Watanabe <takawata@FreeBSD.org> CommitDate: 2021-05-26 09:23:33 +0000 Fix a use-after-free in an error case. PR: 255872 Submitted by: lylgood Differential Revision: https://reviews.freebsd.org/D30454 sys/netgraph/bluetooth/hci/ng_hci_evnt.c | 1 + 1 file changed, 1 insertion(+)
Looks good, Thanks.
We should MFC this to stable branches also
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=26c3e7a1ecb375de071786a07bdd68f867acdb3c commit 26c3e7a1ecb375de071786a07bdd68f867acdb3c Author: Takanori Watanabe <takawata@FreeBSD.org> AuthorDate: 2021-05-26 09:23:33 +0000 Commit: Takanori Watanabe <takawata@FreeBSD.org> CommitDate: 2021-06-09 05:20:57 +0000 Fix a use-after-free in an error case. PR: 255872 Submitted by: lylgood Differential Revision: https://reviews.freebsd.org/D30454 (cherry picked from commit 14803ec8d193d8d46f4137a7dba61b277c6a2fed) sys/netgraph/bluetooth/hci/ng_hci_evnt.c | 1 + 1 file changed, 1 insertion(+)
^Triage: Assign to committer resolving, cc previous Assignee. Track stable merge Is this going to stable/{12,11}. If so, please close after merging and setting mfc-* flags to +, otherwise set mfc_flags to - with comment
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=766da930f994bc0fe27cc9235f0594a6c4e0a88f commit 766da930f994bc0fe27cc9235f0594a6c4e0a88f Author: Takanori Watanabe <takawata@FreeBSD.org> AuthorDate: 2021-05-26 09:23:33 +0000 Commit: Takanori Watanabe <takawata@FreeBSD.org> CommitDate: 2021-06-28 03:58:48 +0000 Fix a use-after-free in an error case. PR: 255872 Submitted by: lylgood Differential Revision: https://reviews.freebsd.org/D30454 (cherry picked from commit 14803ec8d193d8d46f4137a7dba61b277c6a2fed) sys/netgraph/bluetooth/hci/ng_hci_evnt.c | 1 + 1 file changed, 1 insertion(+)
A commit in branch stable/11 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=7bbd5ebae80b52a87d62164a04221752efa8fd50 commit 7bbd5ebae80b52a87d62164a04221752efa8fd50 Author: Takanori Watanabe <takawata@FreeBSD.org> AuthorDate: 2021-05-26 09:23:33 +0000 Commit: Takanori Watanabe <takawata@FreeBSD.org> CommitDate: 2021-06-28 04:00:51 +0000 Fix a use-after-free in an error case. PR: 255872 Submitted by: lylgood Differential Revision: https://reviews.freebsd.org/D30454 (cherry picked from commit 14803ec8d193d8d46f4137a7dba61b277c6a2fed) sys/netgraph/bluetooth/hci/ng_hci_evnt.c | 1 + 1 file changed, 1 insertion(+)