Bluetooth: bnep: fix wild-memory-access in proto_unregister

Ye Bin · mehmetb0 · commit 1e95961320e7 · 2025-01-13T03:47:41.000+03:00
BugLink: https://bugs.launchpad.net/bugs/2089272 [ Upstream commit 64a9099 ] There's issue as follows: KASAN: maybe wild-memory-access in range [0xdead...108-0xdead...10f] CPU: 3 UID: 0 PID: 2805 Comm: rmmod Tainted: G W RIP: 0010:proto_unregister+0xee/0x400 Call Trace: <TASK> __do_sys_delete_module+0x318/0x580 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f As bnep_init() ignore bnep_sock_init()'s return value, and bnep_sock_init() will cleanup all resource. Then when remove bnep module will call bnep_sock_cleanup() to cleanup sock's resource. To solve above issue just return bnep_sock_init()'s return value in bnep_exit(). Fixes: 1da177e ("Linux-2.6.12-rc2") Signed-off-by: Ye Bin <yebin10@huawei.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> CVE-2024-50148 Signed-off-by: Manuel Diewald <manuel.diewald@canonical.com> Signed-off-by: Mehmet Basaran <mehmet.basaran@canonical.com>
diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
@@ -745,8 +745,7 @@ static int __init bnep_init(void)
 	if (flt[0])
 		BT_INFO("BNEP filters: %s", flt);
 
-	bnep_sock_init();
-	return 0;
+	return bnep_sock_init();
 }
 
 static void __exit bnep_exit(void)

Original file line number	Diff line number	Diff line change
`@@ -745,8 +745,7 @@ static int __init bnep_init(void)`
`745`	`745`	`if (flt[0])`
`746`	`746`	`BT_INFO("BNEP filters: %s", flt);`
`747`	`747`
`748`		`- bnep_sock_init();`
`749`		`- return 0;`
	`748`	`+ return bnep_sock_init();`
`750`	`749`	`}`
`751`	`750`
`752`	`751`	`static void __exit bnep_exit(void)`