CVE-2024-36013
CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()
Extend a critical section to prevent chan from early freeing. Also make the l2cap_connect() return type void. Nothing is using the returned value but it is ugly to return a potentially freed pointer. Making it void will help with backports because earlier kernels did use the return value. Now the compile will break for kernels where this patch is not a complete fix.
Call stack summary:
[use] l2cap_bredr_sig_cmd l2cap_connect ┌ mutex_lock(&conn->chan_lock); │ chan = pchan->ops->new_connection(pchan); <- alloc chan │ __l2cap_chan_add(conn, chan); │ l2cap_chan_hold(chan); │ list_add(&chan->list, &conn->chan_l); … (1) └ mutex_unlock(&conn->chan_lock); chan->conf_state … (4) <- use after free
[free] l2cap_conn_del ┌ mutex_lock(&conn->chan_lock); │ foreach chan in conn->chan_l: … (2) │ l2cap_chan_put(chan); │ l2cap_chan_destroy │ kfree(chan) … (3) <- chan freed └ mutex_unlock(&conn->chan_lock);
================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: slab-use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0 net/bluetooth/l2cap_core.c:4260 Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 73ffa904b78287f6acf8797e040150aa26a4af4a < cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5 | affected |
| Linux | Linux | 73ffa904b78287f6acf8797e040150aa26a4af4a < 826af9d2f69567c646ff46d10393d47e30ad23c6 | affected |
| Linux | Linux | 73ffa904b78287f6acf8797e040150aa26a4af4a < 4d7b41c0e43995b0e992b9f8903109275744b658 | affected |
| Linux | Linux | 3.0 | affected |
| Linux | Linux | 0 < 3.0 | unaffected |
| Linux | Linux | 6.6.32 <= 6.6.* | unaffected |
| Linux | Linux | 6.8.11 <= 6.8.* | unaffected |
| Linux | Linux | 6.9 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
- https://git.kernel.org/stable/c/cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5
- https://git.kernel.org/stable/c/826af9d2f69567c646ff46d10393d47e30ad23c6
- https://git.kernel.org/stable/c/4d7b41c0e43995b0e992b9f8903109275744b658
- http://www.openwall.com/lists/oss-security/2024/05/30/2
- http://www.openwall.com/lists/oss-security/2024/05/30/1
References
- https://git.kernel.org/stable/c/cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5
- https://git.kernel.org/stable/c/826af9d2f69567c646ff46d10393d47e30ad23c6
- https://git.kernel.org/stable/c/4d7b41c0e43995b0e992b9f8903109275744b658
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.