<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>Hi developers,<br>
      <br>
      This is SyzScope, a research project that aims to reveal high-risk
      primitives from a low-risk bug.<br>
      <br>
      We noticed that Ubuntu did a good jobs of applying patches from
      high-risk bugs(CVEs, OOB/UAF write), but in our research, we found
      some low-risk bugs even WARNING may compromise the kernel.<br>
      <br>
      SyzScope discovered at least one high-risk primitive(memory
      write/func-ptr-deref) in the low-risk bugs bugs below, their
      patches seems haven't been applied on Ubuntu-groovy.<br>
      <br>
      Regarding the bug "KASAN: use-after-free Read in hci_send_acl"
(<a class="moz-txt-link-freetext" href="https://syzkaller.appspot.com/bug?id=2e1943a94647f7732dd6fc60368642d6e8dc91b1">https://syzkaller.appspot.com/bug?id=2e1943a94647f7732dd6fc60368642d6e8dc91b1</a>),
      SyzScope reports 51 memory write primitives. The detailed comments
      can be found at
<a class="moz-txt-link-freetext" href="https://sites.google.com/view/syzscope/kasan-use-after-free-read-in-hci_send_acl">https://sites.google.com/view/syzscope/kasan-use-after-free-read-in-hci_send_acl</a><br>
      <br>
      Regarding the bug "KASAN: use-after-free Read in cipso_v4_genopt"
(<a class="moz-txt-link-freetext" href="https://syzkaller.appspot.com/bug?id=96e7d345748d8814901c91cd92084ed04b46701e">https://syzkaller.appspot.com/bug?id=96e7d345748d8814901c91cd92084ed04b46701e</a>),
      SyzScope reports 6 memory write primitives. The detailed comments
      can be found at
<a class="moz-txt-link-freetext" href="https://sites.google.com/view/syzscope/kasan-use-after-free-read-in-cipso_v4_genopt">https://sites.google.com/view/syzscope/kasan-use-after-free-read-in-cipso_v4_genopt</a><br>
      <br>
      Regarding the bug "KASAN: use-after-free Read in path_init (2)"
(<a class="moz-txt-link-freetext" href="https://syzkaller.appspot.com/bug?id=a13951ba83ba7ba6e67fa8b504e8bc31f61616cb">https://syzkaller.appspot.com/bug?id=a13951ba83ba7ba6e67fa8b504e8bc31f61616cb</a>),
      SyzScope reports 86 memory write primitives. The detailed comments
      can be found at
<a class="moz-txt-link-freetext" href="https://sites.google.com/view/syzscope/kasan-use-after-free-read-in-path_init-2">https://sites.google.com/view/syzscope/kasan-use-after-free-read-in-path_init-2</a></p>
    <p>Regarding the bug"KASAN: slab-out-of-bounds Read in
hci_extended_inquiry_result_evt"(<a class="moz-txt-link-freetext" href="https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2">https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2</a>),
      SyzScope reports 8 memory write primitives. The detailed comments
      can be found at
<a class="moz-txt-link-freetext" href="https://sites.google.com/view/syzscope/kasan-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt">https://sites.google.com/view/syzscope/kasan-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt</a>.
      <style type="text/css">td {border: 1px solid #ccc;}br {mso-data-placement:same-cell;}</style></p>
    <p><br>
      The bugs above are a portion of our findings, we are happy to
      provide more if they benefit the community .<br>
      <br>
      Please let us know if SyzScope indeed helps, and any
      suggestions/feedback. <br>
    </p>
  </body>
</html>