CVE-2023-53762

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync<br /> <br /> Use-after-free can occur in hci_disconnect_all_sync if a connection is<br /> deleted by concurrent processing of a controller event.<br /> <br /> To prevent this the code now tries to iterate over the list backwards<br /> to ensure the links are cleanup before its parents, also it no longer<br /> relies on a cursor, instead it always uses the last element since<br /> hci_abort_conn_sync is guaranteed to call hci_conn_del.<br /> <br /> UAF crash log:<br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in hci_set_powered_sync<br /> (net/bluetooth/hci_sync.c:5424) [bluetooth]<br /> Read of size 8 at addr ffff888009d9c000 by task kworker/u9:0/124<br /> <br /> CPU: 0 PID: 124 Comm: kworker/u9:0 Tainted: G W<br /> 6.5.0-rc1+ #10<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS<br /> 1.16.2-1.fc38 04/01/2014<br /> Workqueue: hci0 hci_cmd_sync_work [bluetooth]<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x5b/0x90<br /> print_report+0xcf/0x670<br /> ? __virt_addr_valid+0xdd/0x160<br /> ? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]<br /> kasan_report+0xa6/0xe0<br /> ? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]<br /> ? __pfx_set_powered_sync+0x10/0x10 [bluetooth]<br /> hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]<br /> ? __pfx_hci_set_powered_sync+0x10/0x10 [bluetooth]<br /> ? __pfx_lock_release+0x10/0x10<br /> ? __pfx_set_powered_sync+0x10/0x10 [bluetooth]<br /> hci_cmd_sync_work+0x137/0x220 [bluetooth]<br /> process_one_work+0x526/0x9d0<br /> ? __pfx_process_one_work+0x10/0x10<br /> ? __pfx_do_raw_spin_lock+0x10/0x10<br /> ? mark_held_locks+0x1a/0x90<br /> worker_thread+0x92/0x630<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0x196/0x1e0<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x2c/0x50<br /> <br /> <br /> Allocated by task 1782:<br /> kasan_save_stack+0x33/0x60<br /> kasan_set_track+0x25/0x30<br /> __kasan_kmalloc+0x8f/0xa0<br /> hci_conn_add+0xa5/0xa80 [bluetooth]<br /> hci_bind_cis+0x881/0x9b0 [bluetooth]<br /> iso_connect_cis+0x121/0x520 [bluetooth]<br /> iso_sock_connect+0x3f6/0x790 [bluetooth]<br /> __sys_connect+0x109/0x130<br /> __x64_sys_connect+0x40/0x50<br /> do_syscall_64+0x60/0x90<br /> entry_SYSCALL_64_after_hwframe+0x6e/0xd8<br /> <br /> Freed by task 695:<br /> kasan_save_stack+0x33/0x60<br /> kasan_set_track+0x25/0x30<br /> kasan_save_free_info+0x2b/0x50<br /> __kasan_slab_free+0x10a/0x180<br /> __kmem_cache_free+0x14d/0x2e0<br /> device_release+0x5d/0xf0<br /> kobject_put+0xdf/0x270<br /> hci_disconn_complete_evt+0x274/0x3a0 [bluetooth]<br /> hci_event_packet+0x579/0x7e0 [bluetooth]<br /> hci_rx_work+0x287/0xaa0 [bluetooth]<br /> process_one_work+0x526/0x9d0<br /> worker_thread+0x92/0x630<br /> kthread+0x196/0x1e0<br /> ret_from_fork+0x2c/0x50<br /> ==================================================================