Message ID | 20240105232030.42941-1-yuxuan.luo@canonical.com |
---|---|
Headers | show |
Series | CVE-2023-51779 | expand |
This patch also applies for Jammy-OEM-6.1 using Lunar's patch. Sorry the inconvenience. On 1/5/24 18:20, Yuxuan Luo wrote: > [Impact] > A vulneralbility has been found in Linux kernel > net/bluetoothaf_bluetooth.c. This can cause a race with bt_sock_ioctl() > because bt_sock_recvmsg() gets the skb from sk->sk_receive_queue and > then frees it without holding lock_sock. A use-after-free for a skb > occurs which leads to potential denial of service. > > [Backport] > For Lunar and Mantic it is a clean cherry pick. > For Focal and Jammy, there exists a prerequisite commit, f4b41f062c42 > (“net: remove noblock parameter from skb_recv_datagram()”). However, > this commit only removes the obsolete parameter, so ignore this commit > and manually backport the lock. > > [Test] > Compile and boot tested. > > [Potential Regression] > Expect very low regression potential. > > Hyunwoo Kim (1): > Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg > > net/bluetooth/af_bluetooth.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) >
Yuxuan Luo kirjoitti 6.1.2024 klo 1.20: > [Impact] > A vulneralbility has been found in Linux kernel > net/bluetoothaf_bluetooth.c. This can cause a race with bt_sock_ioctl() > because bt_sock_recvmsg() gets the skb from sk->sk_receive_queue and > then frees it without holding lock_sock. A use-after-free for a skb > occurs which leads to potential denial of service. > > [Backport] > For Lunar and Mantic it is a clean cherry pick. > For Focal and Jammy, there exists a prerequisite commit, f4b41f062c42 > (“net: remove noblock parameter from skb_recv_datagram()”). However, > this commit only removes the obsolete parameter, so ignore this commit > and manually backport the lock. > > [Test] > Compile and boot tested. > > [Potential Regression] > Expect very low regression potential. > > Hyunwoo Kim (1): > Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg > > net/bluetooth/af_bluetooth.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > applied to oem-6.1-prep, thanks
On 1/5/24 4:20 PM, Yuxuan Luo wrote: > [Impact] > A vulneralbility has been found in Linux kernel > net/bluetoothaf_bluetooth.c. This can cause a race with bt_sock_ioctl() > because bt_sock_recvmsg() gets the skb from sk->sk_receive_queue and > then frees it without holding lock_sock. A use-after-free for a skb > occurs which leads to potential denial of service. > > [Backport] > For Lunar and Mantic it is a clean cherry pick. > For Focal and Jammy, there exists a prerequisite commit, f4b41f062c42 > (“net: remove noblock parameter from skb_recv_datagram()”). However, > this commit only removes the obsolete parameter, so ignore this commit > and manually backport the lock. > > [Test] > Compile and boot tested. > > [Potential Regression] > Expect very low regression potential. > > Hyunwoo Kim (1): > Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg > > net/bluetooth/af_bluetooth.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 06/01/2024 00:20, Yuxuan Luo wrote: > [Impact] > A vulneralbility has been found in Linux kernel > net/bluetoothaf_bluetooth.c. This can cause a race with bt_sock_ioctl() > because bt_sock_recvmsg() gets the skb from sk->sk_receive_queue and > then frees it without holding lock_sock. A use-after-free for a skb > occurs which leads to potential denial of service. > > [Backport] > For Lunar and Mantic it is a clean cherry pick. > For Focal and Jammy, there exists a prerequisite commit, f4b41f062c42 > (“net: remove noblock parameter from skb_recv_datagram()”). However, > this commit only removes the obsolete parameter, so ignore this commit > and manually backport the lock. > > [Test] > Compile and boot tested. > > [Potential Regression] > Expect very low regression potential. > > Hyunwoo Kim (1): > Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg > > net/bluetooth/af_bluetooth.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 06/01/2024 00:20, Yuxuan Luo wrote: > [Impact] > A vulneralbility has been found in Linux kernel > net/bluetoothaf_bluetooth.c. This can cause a race with bt_sock_ioctl() > because bt_sock_recvmsg() gets the skb from sk->sk_receive_queue and > then frees it without holding lock_sock. A use-after-free for a skb > occurs which leads to potential denial of service. > > [Backport] > For Lunar and Mantic it is a clean cherry pick. > For Focal and Jammy, there exists a prerequisite commit, f4b41f062c42 > (“net: remove noblock parameter from skb_recv_datagram()”). However, > this commit only removes the obsolete parameter, so ignore this commit > and manually backport the lock. > > [Test] > Compile and boot tested. > > [Potential Regression] > Expect very low regression potential. > > Hyunwoo Kim (1): > Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg > > net/bluetooth/af_bluetooth.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > Applied to mantic, lunar, jammy, focal master-next branches. Thanks!