Bug 255872 - netgraph/bluetooth/hci: Fix a use after free in le_connection_complete
Summary: netgraph/bluetooth/hci: Fix a use after free in le_connection_complete
Status: In Progress
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: Takanori Watanabe
URL: https://reviews.freebsd.org/D30454
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-14 12:35 UTC by lylgood
Modified: 2021-06-10 00:49 UTC (History)
5 users (show)

See Also:
koobs: mfc-stable13+
koobs: mfc-stable12?
koobs: mfc-stable11?


Attachments
add goto out if ng_hci_lp_con_ind() error. (479 bytes, patch)
2021-05-14 12:35 UTC, lylgood
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description lylgood 2021-05-14 12:35:47 UTC
Created attachment 224936 [details]
add goto out if ng_hci_lp_con_ind() error.

Bug File: sys/netgraph/bluetooth/hci/ng_hci_evnt.c

In function le_connection_complete, con is freed via ng_hci_free_con(con) at line 530. But the freed con is still used later.

This free operation performs if an error happened in ng_hci_lp_con_ind(), i think the developer forgot to goto out branch and cause this uaf. My patch fixs this error.
Comment 1 Mark Johnston freebsd_committer 2021-05-25 16:34:50 UTC
https://reviews.freebsd.org/D30454
Comment 2 commit-hook freebsd_committer 2021-05-26 09:31:11 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=14803ec8d193d8d46f4137a7dba61b277c6a2fed

commit 14803ec8d193d8d46f4137a7dba61b277c6a2fed
Author:     Takanori Watanabe <takawata@FreeBSD.org>
AuthorDate: 2021-05-26 09:23:33 +0000
Commit:     Takanori Watanabe <takawata@FreeBSD.org>
CommitDate: 2021-05-26 09:23:33 +0000

    Fix a use-after-free in an error case.

    PR: 255872
    Submitted by:  lylgood
    Differential Revision:  https://reviews.freebsd.org/D30454

 sys/netgraph/bluetooth/hci/ng_hci_evnt.c | 1 +
 1 file changed, 1 insertion(+)
Comment 3 Takanori Watanabe freebsd_committer 2021-05-26 09:32:47 UTC
Looks good, Thanks.
Comment 4 Ed Maste freebsd_committer 2021-05-26 16:52:49 UTC
We should MFC this to stable branches also
Comment 5 commit-hook freebsd_committer 2021-06-09 05:22:34 UTC
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=26c3e7a1ecb375de071786a07bdd68f867acdb3c

commit 26c3e7a1ecb375de071786a07bdd68f867acdb3c
Author:     Takanori Watanabe <takawata@FreeBSD.org>
AuthorDate: 2021-05-26 09:23:33 +0000
Commit:     Takanori Watanabe <takawata@FreeBSD.org>
CommitDate: 2021-06-09 05:20:57 +0000

    Fix a use-after-free in an error case.

    PR: 255872
    Submitted by:  lylgood
    Differential Revision:  https://reviews.freebsd.org/D30454

    (cherry picked from commit 14803ec8d193d8d46f4137a7dba61b277c6a2fed)

 sys/netgraph/bluetooth/hci/ng_hci_evnt.c | 1 +
 1 file changed, 1 insertion(+)
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2021-06-10 00:49:49 UTC
^Triage: Assign to committer resolving, cc previous Assignee. Track stable merge

Is this going to stable/{12,11}. If so, please close after merging and setting mfc-* flags to +, otherwise set mfc_flags to - with comment