Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2023-53046

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
02/05/2025
Last modified:
05/05/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: Fix race condition in hci_cmd_sync_clear<br /> <br /> There is a potential race condition in hci_cmd_sync_work and<br /> hci_cmd_sync_clear, and could lead to use-after-free. For instance,<br /> hci_cmd_sync_work is added to the &amp;#39;req_workqueue&amp;#39; after cancel_work_sync<br /> The entry of &amp;#39;cmd_sync_work_list&amp;#39; may be freed in hci_cmd_sync_clear, and<br /> causing kernel panic when it is used in &amp;#39;hci_cmd_sync_work&amp;#39;.<br /> <br /> Here&amp;#39;s the call trace:<br /> <br /> dump_stack_lvl+0x49/0x63<br /> print_report.cold+0x5e/0x5d3<br /> ? hci_cmd_sync_work+0x282/0x320<br /> kasan_report+0xaa/0x120<br /> ? hci_cmd_sync_work+0x282/0x320<br /> __asan_report_load8_noabort+0x14/0x20<br /> hci_cmd_sync_work+0x282/0x320<br /> process_one_work+0x77b/0x11c0<br /> ? _raw_spin_lock_irq+0x8e/0xf0<br /> worker_thread+0x544/0x1180<br /> ? poll_idle+0x1e0/0x1e0<br /> kthread+0x285/0x320<br /> ? process_one_work+0x11c0/0x11c0<br /> ? kthread_complete_and_exit+0x30/0x30<br /> ret_from_fork+0x22/0x30<br /> <br /> <br /> Allocated by task 266:<br /> kasan_save_stack+0x26/0x50<br /> __kasan_kmalloc+0xae/0xe0<br /> kmem_cache_alloc_trace+0x191/0x350<br /> hci_cmd_sync_queue+0x97/0x2b0<br /> hci_update_passive_scan+0x176/0x1d0<br /> le_conn_complete_evt+0x1b5/0x1a00<br /> hci_le_conn_complete_evt+0x234/0x340<br /> hci_le_meta_evt+0x231/0x4e0<br /> hci_event_packet+0x4c5/0xf00<br /> hci_rx_work+0x37d/0x880<br /> process_one_work+0x77b/0x11c0<br /> worker_thread+0x544/0x1180<br /> kthread+0x285/0x320<br /> ret_from_fork+0x22/0x30<br /> <br /> Freed by task 269:<br /> kasan_save_stack+0x26/0x50<br /> kasan_set_track+0x25/0x40<br /> kasan_set_free_info+0x24/0x40<br /> ____kasan_slab_free+0x176/0x1c0<br /> __kasan_slab_free+0x12/0x20<br /> slab_free_freelist_hook+0x95/0x1a0<br /> kfree+0xba/0x2f0<br /> hci_cmd_sync_clear+0x14c/0x210<br /> hci_unregister_dev+0xff/0x440<br /> vhci_release+0x7b/0xf0<br /> __fput+0x1f3/0x970<br /> ____fput+0xe/0x20<br /> task_work_run+0xd4/0x160<br /> do_exit+0x8b0/0x22a0<br /> do_group_exit+0xba/0x2a0<br /> get_signal+0x1e4a/0x25b0<br /> arch_do_signal_or_restart+0x93/0x1f80<br /> exit_to_user_mode_prepare+0xf5/0x1a0<br /> syscall_exit_to_user_mode+0x26/0x50<br /> ret_from_fork+0x15/0x30

Impact

References to Advisories, Solutions, and Tools