Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Mar 2023 16:00:22 +0200
From: Solar Designer <solar@...nwall.com>
To: Zhenghan Wang <wzhmmmmm@...il.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE-2023-28464: Linux: Bluetooth: hci_conn_cleanup function has double free

Hi Zhenghan Wang,

Thank you for bringing this to oss-security.

On Tue, Mar 28, 2023 at 08:00:00AM +0800, Zhenghan Wang wrote:
> This patch drop the hci_dev_put and hci_conn_put function call in
> hci_conn_cleanup function, because the object isfreed in hci_conn_del_sysfs
> function.
> https://lore.kernel.org/lkml/20230309074645.74309-1-wzhmmmmm@gmail.com/

Please remind the Bluetooth subsystem maintainers, such as by "replying"
to your own message you had sent them on March 9.  When doing so, please
also inform them of the CVE ID and of the oss-security posting.

For others on oss-security: Zhenghan Wang brought this issue to
linux-distros and s@k.o on March 8, brought it to the subsystem
maintainers and public Linux mailing lists on March 9 (of which
linux-distros and s@k.o were not specifically informed), and then there
was no progress until Carlos Lopez from SUSE sent a reminder when we
were already just past the maximum embargo duration for linux-distros.

Of course, it was inappropriate that no one stayed on top of the issue
during the embargo.  The corresponding contributing-back task is:

https://oss-security.openwall.org/wiki/mailing-lists/distros#contributing-back

"9. Stay on top of issues to ensure progress is being made, remind
others when there's no apparent progress, as well as when the public
disclosure date for an issue is approaching and when it's finally
reached (unless the reporter beats you to it by making their mandatory
posting to oss-security first) - primary: Gentoo, backup: Amazon"

I brought this up on linux-distros and we already heard from Anthony
Liguori for Amazon, who as you can see from another thread on
oss-security is now also contributing the list statistics, which could
help detect such delays too.  Thanks, Anthony!

However, we have not heard from Gentoo, who are "primary" on this and a
couple of other related tasks.  Gentoo, please let us all know whether
you intend to handle these tasks, or should we remove the assignment?

As to the public message on Linux mailing lists on March 9, this time
linux-distros did not specifically evaluate whether it was too revealing
or not, and whether it'd make sense to keep the issue "embargoed" after
such publication.  Like I wrote above, the very fact that such a posting
was made was brought to linux-distros rather late.  However, for further
occasions we do have a separate problem here - while we did introduce an
exception for Linux kernel where such double-think is accepted, would
this one have gotten too far?  The posting did not say "security",
"vulnerability", nor mention a CVE ID.  However, it did mention "double
free" in Bluetooth, and it kind of had to - no other reasonable way to
justify the patch.  Now, not all double free bugs are vulnerabilities -
some are not attacker-exposed.  (BTW, I did not look into whether this
one is.)  Yet a bug of this category in a network subsystem would
reasonably attract potential attackers' attention.  Also or OTOH,
"KASAN: slab-use-after-free Read in hci_conn_hash_flush" in syzbot could
have attracted attention, too.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.