Vulnerabilidad en kernel de Linux (CVE-2024-49950)

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: L2CAP: Fix uaf en l2cap_connect [Syzbot informó] ERROR: KASAN: slab-use-after-free en l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949 Lectura de tamaño 8 en la dirección ffff8880241e9800 por la tarea kworker/u9:0/54 CPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 No contaminado 6.11.0-rc6-syzkaller-00268-g788220eee30d #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Cola de trabajo: hci2 hci_rx_work Seguimiento de llamadas: __dump_stack lib/dump_stack.c:93 [en línea] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119 imprimir_dirección_descripción mm/kasan/report.c:377 [en línea] imprimir_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949 l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [en línea] l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [en línea] l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [en línea] l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825 l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514 hci_acldata_packet net/bluetooth/hci_core.c:3791 [en línea] hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [en línea] worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 ... Liberado por la tarea 5245: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579 poison_slab_object+0xf7/0x160 mm/kasan/common.c:240 __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [en línea] slab_free_hook mm/slub.c:2256 [en línea] slab_free mm/slub.c:4477 [en línea] kfree+0x12a/0x3b0 mm/slub.c:4598 l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [en línea] kref_put include/linux/kref.h:65 [en línea] l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [en línea] l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802 l2cap_connect_cfm+0x9e6/0xf80 red/bluetooth/l2cap_core.c:7241 hci_connect_cfm include/red/bluetooth/hci_core.h:1960 [en línea] hci_conn_failed+0x1c3/0x370 red/bluetooth/hci_conn.c:1265 hci_abort_conn_sync+0x75a/0xb50 red/bluetooth/hci_sync.c:5583 abort_conn_sync+0x197/0x360 red/bluetooth/hci_conn.c:2917 hci_cmd_sync_work+0x1a4/0x410 red/bluetooth/hci_sync.c:328 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [en línea] worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244