CVE-2022-49909
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
01/05/2025
Last modified:
07/05/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()<br />
<br />
When l2cap_recv_frame() is invoked to receive data, and the cid is<br />
L2CAP_CID_A2MP, if the channel does not exist, it will create a channel.<br />
However, after a channel is created, the hold operation of the channel<br />
is not performed. In this case, the value of channel reference counting<br />
is 1. As a result, after hci_error_reset() is triggered, l2cap_conn_del()<br />
invokes the close hook function of A2MP to release the channel. Then<br />
l2cap_chan_unlock(chan) will trigger UAF issue.<br />
<br />
The process is as follows:<br />
Receive data:<br />
l2cap_data_channel()<br />
a2mp_channel_create() --->channel ref is 2<br />
l2cap_chan_put() --->channel ref is 1<br />
<br />
Triger event:<br />
hci_error_reset()<br />
hci_dev_do_close()<br />
...<br />
l2cap_disconn_cfm()<br />
l2cap_conn_del()<br />
l2cap_chan_hold() --->channel ref is 2<br />
l2cap_chan_del() --->channel ref is 1<br />
a2mp_chan_close_cb() --->channel ref is 0, release channel<br />
l2cap_chan_unlock() --->UAF of channel<br />
<br />
The detailed Call Trace is as follows:<br />
BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0xa6/0x5e0<br />
Read of size 8 at addr ffff8880160664b8 by task kworker/u11:1/7593<br />
Workqueue: hci0 hci_error_reset<br />
Call Trace:<br />
<br />
dump_stack_lvl+0xcd/0x134<br />
print_report.cold+0x2ba/0x719<br />
kasan_report+0xb1/0x1e0<br />
kasan_check_range+0x140/0x190<br />
__mutex_unlock_slowpath+0xa6/0x5e0<br />
l2cap_conn_del+0x404/0x7b0<br />
l2cap_disconn_cfm+0x8c/0xc0<br />
hci_conn_hash_flush+0x11f/0x260<br />
hci_dev_close_sync+0x5f5/0x11f0<br />
hci_dev_do_close+0x2d/0x70<br />
hci_error_reset+0x9e/0x140<br />
process_one_work+0x98a/0x1620<br />
worker_thread+0x665/0x1080<br />
kthread+0x2e4/0x3a0<br />
ret_from_fork+0x1f/0x30<br />
<br />
<br />
Allocated by task 7593:<br />
kasan_save_stack+0x1e/0x40<br />
__kasan_kmalloc+0xa9/0xd0<br />
l2cap_chan_create+0x40/0x930<br />
amp_mgr_create+0x96/0x990<br />
a2mp_channel_create+0x7d/0x150<br />
l2cap_recv_frame+0x51b8/0x9a70<br />
l2cap_recv_acldata+0xaa3/0xc00<br />
hci_rx_work+0x702/0x1220<br />
process_one_work+0x98a/0x1620<br />
worker_thread+0x665/0x1080<br />
kthread+0x2e4/0x3a0<br />
ret_from_fork+0x1f/0x30<br />
<br />
Freed by task 7593:<br />
kasan_save_stack+0x1e/0x40<br />
kasan_set_track+0x21/0x30<br />
kasan_set_free_info+0x20/0x30<br />
____kasan_slab_free+0x167/0x1c0<br />
slab_free_freelist_hook+0x89/0x1c0<br />
kfree+0xe2/0x580<br />
l2cap_chan_put+0x22a/0x2d0<br />
l2cap_conn_del+0x3fc/0x7b0<br />
l2cap_disconn_cfm+0x8c/0xc0<br />
hci_conn_hash_flush+0x11f/0x260<br />
hci_dev_close_sync+0x5f5/0x11f0<br />
hci_dev_do_close+0x2d/0x70<br />
hci_error_reset+0x9e/0x140<br />
process_one_work+0x98a/0x1620<br />
worker_thread+0x665/0x1080<br />
kthread+0x2e4/0x3a0<br />
ret_from_fork+0x1f/0x30<br />
<br />
Last potentially related work creation:<br />
kasan_save_stack+0x1e/0x40<br />
__kasan_record_aux_stack+0xbe/0xd0<br />
call_rcu+0x99/0x740<br />
netlink_release+0xe6a/0x1cf0<br />
__sock_release+0xcd/0x280<br />
sock_close+0x18/0x20<br />
__fput+0x27c/0xa90<br />
task_work_run+0xdd/0x1a0<br />
exit_to_user_mode_prepare+0x23c/0x250<br />
syscall_exit_to_user_mode+0x19/0x50<br />
do_syscall_64+0x42/0x80<br />
entry_SYSCALL_64_after_hwframe+0x63/0xcd<br />
<br />
Second to last potentially related work creation:<br />
kasan_save_stack+0x1e/0x40<br />
__kasan_record_aux_stack+0xbe/0xd0<br />
call_rcu+0x99/0x740<br />
netlink_release+0xe6a/0x1cf0<br />
__sock_release+0xcd/0x280<br />
sock_close+0x18/0x20<br />
__fput+0x27c/0xa90<br />
task_work_run+0xdd/0x1a0<br />
exit_to_user_mode_prepare+0x23c/0x250<br />
syscall_exit_to_user_mode+0x19/0x50<br />
do_syscall_64+0x42/0x80<br />
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.9.326 (including) | 4.9.333 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.14.291 (including) | 4.14.299 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.19.255 (including) | 4.19.265 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.4.209 (including) | 5.4.224 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.135 (including) | 5.10.154 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.59 (including) | 5.15.78 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.18.16 (including) | 6.0.8 (excluding) |
cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0d0e2d032811280b927650ff3c15fe5020e82533
- https://git.kernel.org/stable/c/17c6164854f8bb80bf76f32b2c2f199c16b53703
- https://git.kernel.org/stable/c/7f7bfdd9a9af3b12c33d9da9a012e7f4d5c91f4b
- https://git.kernel.org/stable/c/8f7e4cf0694149a5d999d676ebd9ecf1b4cb2cc9
- https://git.kernel.org/stable/c/a3a7b2ac64de232edb67279e804932cb42f0b52a
- https://git.kernel.org/stable/c/c1f594dddd9ffd747c39f49cc5b67a9b7677d2ab
- https://git.kernel.org/stable/c/d9ec6e2fbd4a565b2345d4852f586b7ae3ab41fd
- https://git.kernel.org/stable/c/db4a0783ed78beb2ebaa32f5f785bfd79c580689