Bug 255872
| Summary: | netgraph/bluetooth/hci: Fix a use after free in le_connection_complete | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | lylgood | ||||
| Component: | kern | Assignee: | Takanori Watanabe <takawata> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Many People | CC: | emaste, mark, markj, net, takawata | ||||
| Priority: | --- | Flags: | koobs:
mfc-stable13+
takawata: mfc-stable12+ takawata: mfc-stable11+ |
||||
| Version: | CURRENT | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| URL: | https://reviews.freebsd.org/D30454 | ||||||
| Attachments: |
|
||||||
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=14803ec8d193d8d46f4137a7dba61b277c6a2fed commit 14803ec8d193d8d46f4137a7dba61b277c6a2fed Author: Takanori Watanabe <takawata@FreeBSD.org> AuthorDate: 2021-05-26 09:23:33 +0000 Commit: Takanori Watanabe <takawata@FreeBSD.org> CommitDate: 2021-05-26 09:23:33 +0000 Fix a use-after-free in an error case. PR: 255872 Submitted by: lylgood Differential Revision: https://reviews.freebsd.org/D30454 sys/netgraph/bluetooth/hci/ng_hci_evnt.c | 1 + 1 file changed, 1 insertion(+) Looks good, Thanks. We should MFC this to stable branches also A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=26c3e7a1ecb375de071786a07bdd68f867acdb3c commit 26c3e7a1ecb375de071786a07bdd68f867acdb3c Author: Takanori Watanabe <takawata@FreeBSD.org> AuthorDate: 2021-05-26 09:23:33 +0000 Commit: Takanori Watanabe <takawata@FreeBSD.org> CommitDate: 2021-06-09 05:20:57 +0000 Fix a use-after-free in an error case. PR: 255872 Submitted by: lylgood Differential Revision: https://reviews.freebsd.org/D30454 (cherry picked from commit 14803ec8d193d8d46f4137a7dba61b277c6a2fed) sys/netgraph/bluetooth/hci/ng_hci_evnt.c | 1 + 1 file changed, 1 insertion(+) ^Triage: Assign to committer resolving, cc previous Assignee. Track stable merge
Is this going to stable/{12,11}. If so, please close after merging and setting mfc-* flags to +, otherwise set mfc_flags to - with comment
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=766da930f994bc0fe27cc9235f0594a6c4e0a88f commit 766da930f994bc0fe27cc9235f0594a6c4e0a88f Author: Takanori Watanabe <takawata@FreeBSD.org> AuthorDate: 2021-05-26 09:23:33 +0000 Commit: Takanori Watanabe <takawata@FreeBSD.org> CommitDate: 2021-06-28 03:58:48 +0000 Fix a use-after-free in an error case. PR: 255872 Submitted by: lylgood Differential Revision: https://reviews.freebsd.org/D30454 (cherry picked from commit 14803ec8d193d8d46f4137a7dba61b277c6a2fed) sys/netgraph/bluetooth/hci/ng_hci_evnt.c | 1 + 1 file changed, 1 insertion(+) A commit in branch stable/11 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=7bbd5ebae80b52a87d62164a04221752efa8fd50 commit 7bbd5ebae80b52a87d62164a04221752efa8fd50 Author: Takanori Watanabe <takawata@FreeBSD.org> AuthorDate: 2021-05-26 09:23:33 +0000 Commit: Takanori Watanabe <takawata@FreeBSD.org> CommitDate: 2021-06-28 04:00:51 +0000 Fix a use-after-free in an error case. PR: 255872 Submitted by: lylgood Differential Revision: https://reviews.freebsd.org/D30454 (cherry picked from commit 14803ec8d193d8d46f4137a7dba61b277c6a2fed) sys/netgraph/bluetooth/hci/ng_hci_evnt.c | 1 + 1 file changed, 1 insertion(+) |
Created attachment 224936 [details] add goto out if ng_hci_lp_con_ind() error. Bug File: sys/netgraph/bluetooth/hci/ng_hci_evnt.c In function le_connection_complete, con is freed via ng_hci_free_con(con) at line 530. But the freed con is still used later. This free operation performs if an error happened in ng_hci_lp_con_ind(), i think the developer forgot to goto out branch and cause this uaf. My patch fixs this error.