From nobody Fri Jun 12 20:22:00 2026 Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7EB513AA1A1 for ; Tue, 12 May 2026 20:15:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778616949; cv=none; b=oboDlKluGRW0/TM8oPnmPQix2SjQpXVO6FZb92x8U6OWb6xTELShstWhYLe/1Jw/MICrZO9I84tkerQcFQiTF4rOOa28qz9eMZDEtW3Q61xnZbXkc4kMg8R0IzB3MvQD5mFucIWryU/Nx/y+UdaBIrlfqLRyAGxum6b+pWAw+Is= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778616949; c=relaxed/simple; bh=WNm8KtkMynSXJn8zMi3evEVkOyq9VdKE4QPBfYRIxPk=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=oSzVoYJeZBtkxeeak9dz+rxwG5b6/pgYgGtZKzF/Fw03WY2itfC7sHy4hzDJ6iqphs2Tb49KmTbJ6x90NnN9V7fBjhTY54OQHO5v40Cj4N0ai5bejdRz8svFAXikDOLwI3uwZIxFYUQgQ+DQ8MrD14BsYROBWY7YEC67okIPLPM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=GZmC/t8d; arc=none smtp.client-ip=209.85.128.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="GZmC/t8d" Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-4891ca4ce02so305e9.1 for ; Tue, 12 May 2026 13:15:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1778616946; x=1779221746; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=CIupbo51IGhN60EFnqfQU2Ebmv8B4YfVP5HZZ1GR0CI=; b=GZmC/t8dWLjNF6GyGgg2zeoCrSC53OGVbKi06XXkxtjRG/AeYkKJmo3CNtHArcrSfO p6urN9homQOJBjJQ/KI5x3Rdfe0XydaO64ldZH3C3MB4WJeVqjqmnVZtr3T3fc1Ns1Oi LLwjPtfCnPeel0tmiuUEGpAlT9NSJjLWH26tk3AUy73gPTMpOmDmPujD5th4yVrHtjit Lvnekz2awCs3il+RgUQtnkowyiVda1LCO67MINb/mWNBFK0+y3PnwkxNJcvSCpaiX4rc 6fEn6t/IG0m/Wza0Lj6hJvBw23L5pUcH0fhSbYj7DjEyq3IEyfepsVEwDkAVtPQSZ7MY dGDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778616946; x=1779221746; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=CIupbo51IGhN60EFnqfQU2Ebmv8B4YfVP5HZZ1GR0CI=; b=mXwJob1A4mIG+c/dwIW4Tw0WNOBMFGPbVfEYZOqZ6sp9RiWTRDp7341puYhx3hmTH5 9xeU4mtnz/7540ULz3oWNL05yPOtye2na0Uaq617VNMCFVcwxI+UPPjJRwBL3IwgaZHg MECdGaeyrGic15wfZ2S79eWFdUDs58VsVeAqSi2J14OxP1h1KRL9BTMHMwMkVc4y7HDI +56+96VkkokOsre6PG/P2gIJgYa8c/LEq7ytmtY6HAcJPgc2+NC+h13C5NseMKuLmL6Z SLEjmjNHXex6QDuMQ/Ib1vqtE5GjSVflWv5W50VYW12yk2LXUoVZkP6YxWw2HH63a0yZ lbbw== X-Forwarded-Encrypted: i=1; AFNElJ9LYAgzP7OwpABJFT/JIoMnuTLUc77tuihHhby+uywGO88QSbFfSIDBRd0x46jOZV5j2oN152W3JhmNNy8=@vger.kernel.org X-Gm-Message-State: AOJu0Yz4wcPknaQtbCsyNt1/2xuvkXtMzBCVVbQ9kXLnTcqb8XYsLvrV y1UahdmjXar3KR6Mxl783g+JGXXItUbRcsZztUF3+ATZxMH1Ud/kdTHV00z7L797AA== X-Gm-Gg: Acq92OEdAbRREuruy59DlwuCbgkXLUuDV6uhf8ePslN3/Du1ZMD4WdkWE10qPnTuBy+ bnIfS4aLp4rRLRkM0LVulCn/KFdse5qzhQIBI9/nicVTlLCxbRgNyrg9xH79XbQEQvUH15jPYBL TY8Ck/6ot+ZxWwUignO1XFq9mwxi1GrmvVgrFOGnZSZonjQ91y8Pj928r/NU3sQeMZ6I6gwclr+ bMl0JnlFhv/c6eAgF64jr3ltSocbGDnZMLzT1Pczjx5d2UyyAoKhCrBFv8zro6KjFcsn9tD9+j5 rQC+Ygdh/ZVzI0T4tcLDCdkLjZ519wNy9X56Eo+AuJAPGYDTXqin9b5tyq3zjtcmm8kvuQqCp5a jaAJO7KZvOnP/iQeffkXjk+UhckPm84I+SJeiNiFVlsCY9Vt/+TY0oqD9MPkLZzx7IMC5xjNDD3 e208nUHJ2+GY5qeMNDkaSDX9x2mk7q2h+KE77DeBHMY9D+McEIDw8BEdgSmf9x4g== X-Received: by 2002:a05:600c:8a16:10b0:48a:5618:b4d4 with SMTP id 5b1f17b1804b1-48fcacd0d81mr18565e9.1.1778616945526; Tue, 12 May 2026 13:15:45 -0700 (PDT) Received: from localhost ([2a00:79e0:288a:8:118e:a0ac:896b:9240]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45ba2aaec3asm5188055f8f.15.2026.05.12.13.15.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2026 13:15:45 -0700 (PDT) From: Jann Horn Date: Tue, 12 May 2026 22:15:39 +0200 Subject: [PATCH] Bluetooth: bnep: Fix UAF read of dev->name Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260512-bnep-add-uaf-v1-1-f62ff8f61d50@google.com> X-B4-Tracking: v=1; b=H4sIAGqKA2oC/6tWKk4tykwtVrJSqFYqSi3LLM7MzwNyDHUUlJIzE vPSU3UzU4B8JSMDIzMDU0Mj3aS81ALdxJQU3dLENN00c2OD5MTUZOMkQ2MloJaCotS0zAqwcdG xtbUA1+dPl14AAAA= X-Change-ID: 20260512-bnep-add-uaf-f730caec3b13 To: Marcel Holtmann , Luiz Augusto von Dentz Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jann Horn X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1778616941; l=1405; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=WNm8KtkMynSXJn8zMi3evEVkOyq9VdKE4QPBfYRIxPk=; b=Jk+CHIi3IXpkUb4fRpkzyOJnaHT7yYuW9WvfKSNUKNat/oU/e1mPsxtYD1CVoNJuGFauAaVW0 f8489CrDfHvBKBN9Jsm+t63TuTAoKdbnarT7plEbvuKkViiSu/k559/ X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= bnep_add_connection() needs to keep holding the bnep_session_sem while reading dev->name (just like bnep_get_connlist() does); otherwise the bnep_session() thread can concurrently free the net_device, which can for example be triggered by a concurrent bnep_del_connection(). (This UAF is fairly uninteresting from a security perspective; calling bnep_add_connection() requires passing a capable(CAP_NET_ADMIN) check. It also requires completely tearing down a netdev during a fairly tight race window.) Cc: stable@vger.kernel.org Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jann Horn --- I have tested that this bug can lead to UAF by using KASAN and introducing an artificial delay with mdelay(). --- net/bluetooth/bnep/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c index 853c8d7644b5..0de5df690bd0 100644 --- a/net/bluetooth/bnep/core.c +++ b/net/bluetooth/bnep/core.c @@ -645,8 +645,8 @@ int bnep_add_connection(struct bnep_connadd_req *req, s= truct socket *sock) goto failed; } =20 - up_write(&bnep_session_sem); strcpy(req->device, dev->name); + up_write(&bnep_session_sem); return 0; =20 failed: --- base-commit: 1d5dcaa3bd65f2e8c9baa14a393d3a2dc5db7524 change-id: 20260512-bnep-add-uaf-f730caec3b13 -- =20 Jann Horn