CVE-2024-36013

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()<br /> <br /> Extend a critical section to prevent chan from early freeing.<br /> Also make the l2cap_connect() return type void. Nothing is using the<br /> returned value but it is ugly to return a potentially freed pointer.<br /> Making it void will help with backports because earlier kernels did use<br /> the return value. Now the compile will break for kernels where this<br /> patch is not a complete fix.<br /> <br /> Call stack summary:<br /> <br /> [use]<br /> l2cap_bredr_sig_cmd<br /> l2cap_connect<br /> ┌ mutex_lock(&amp;conn-&gt;chan_lock);<br /> │ chan = pchan-&gt;ops-&gt;new_connection(pchan); list, &amp;conn-&gt;chan_l); ... (1)<br /> └ mutex_unlock(&amp;conn-&gt;chan_lock);<br /> chan-&gt;conf_state ... (4) chan_lock);<br /> │ foreach chan in conn-&gt;chan_l: ... (2)<br /> │ l2cap_chan_put(chan);<br /> │ l2cap_chan_destroy<br /> │ kfree(chan) ... (3) chan_lock);<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in instrument_atomic_read<br /> include/linux/instrumented.h:68 [inline]<br /> BUG: KASAN: slab-use-after-free in _test_bit<br /> include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]<br /> BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0<br /> net/bluetooth/l2cap_core.c:4260<br /> Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311