CVE-2022-49910

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu<br /> <br /> Fix the race condition between the following two flows that run in<br /> parallel:<br /> <br /> 1. l2cap_reassemble_sdu -&gt; chan-&gt;ops-&gt;recv (l2cap_sock_recv_cb) -&gt;<br /> __sock_queue_rcv_skb.<br /> <br /> 2. bt_sock_recvmsg -&gt; skb_recv_datagram, skb_free_datagram.<br /> <br /> An SKB can be queued by the first flow and immediately dequeued and<br /> freed by the second flow, therefore the callers of l2cap_reassemble_sdu<br /> can&amp;#39;t use the SKB after that function returns. However, some places<br /> continue accessing struct l2cap_ctrl that resides in the SKB&amp;#39;s CB for a<br /> short time after l2cap_reassemble_sdu returns, leading to a<br /> use-after-free condition (the stack trace is below, line numbers for<br /> kernel 5.19.8).<br /> <br /> Fix it by keeping a local copy of struct l2cap_ctrl.<br /> <br /> BUG: KASAN: use-after-free in l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth<br /> Read of size 1 at addr ffff88812025f2f0 by task kworker/u17:3/43169<br /> <br /> Workqueue: hci0 hci_rx_work [bluetooth]<br /> Call Trace:<br /> <br /> dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))<br /> print_report.cold (mm/kasan/report.c:314 mm/kasan/report.c:429)<br /> ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth<br /> kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493)<br /> ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth<br /> l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth<br /> l2cap_rx (net/bluetooth/l2cap_core.c:7236 net/bluetooth/l2cap_core.c:7271) bluetooth<br /> ret_from_fork (arch/x86/entry/entry_64.S:306)<br /> <br /> <br /> Allocated by task 43169:<br /> kasan_save_stack (mm/kasan/common.c:39)<br /> __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469)<br /> kmem_cache_alloc_node (mm/slab.h:750 mm/slub.c:3243 mm/slub.c:3293)<br /> __alloc_skb (net/core/skbuff.c:414)<br /> l2cap_recv_frag (./include/net/bluetooth/bluetooth.h:425 net/bluetooth/l2cap_core.c:8329) bluetooth<br /> l2cap_recv_acldata (net/bluetooth/l2cap_core.c:8442) bluetooth<br /> hci_rx_work (net/bluetooth/hci_core.c:3642 net/bluetooth/hci_core.c:3832) bluetooth<br /> process_one_work (kernel/workqueue.c:2289)<br /> worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2437)<br /> kthread (kernel/kthread.c:376)<br /> ret_from_fork (arch/x86/entry/entry_64.S:306)<br /> <br /> Freed by task 27920:<br /> kasan_save_stack (mm/kasan/common.c:39)<br /> kasan_set_track (mm/kasan/common.c:45)<br /> kasan_set_free_info (mm/kasan/generic.c:372)<br /> ____kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328)<br /> slab_free_freelist_hook (mm/slub.c:1780)<br /> kmem_cache_free (mm/slub.c:3536 mm/slub.c:3553)<br /> skb_free_datagram (./include/net/sock.h:1578 ./include/net/sock.h:1639 net/core/datagram.c:323)<br /> bt_sock_recvmsg (net/bluetooth/af_bluetooth.c:295) bluetooth<br /> l2cap_sock_recvmsg (net/bluetooth/l2cap_sock.c:1212) bluetooth<br /> sock_read_iter (net/socket.c:1087)<br /> new_sync_read (./include/linux/fs.h:2052 fs/read_write.c:401)<br /> vfs_read (fs/read_write.c:482)<br /> ksys_read (fs/read_write.c:620)<br /> do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)