CVE-2024-36013
Severity:
MEDIUM
Type:
CWE-416
Use After Free
Publication date:
23/05/2024
Last modified:
03/07/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()<br />
<br />
Extend a critical section to prevent chan from early freeing.<br />
Also make the l2cap_connect() return type void. Nothing is using the<br />
returned value but it is ugly to return a potentially freed pointer.<br />
Making it void will help with backports because earlier kernels did use<br />
the return value. Now the compile will break for kernels where this<br />
patch is not a complete fix.<br />
<br />
Call stack summary:<br />
<br />
[use]<br />
l2cap_bredr_sig_cmd<br />
l2cap_connect<br />
┌ mutex_lock(&conn->chan_lock);<br />
│ chan = pchan->ops->new_connection(pchan); list, &conn->chan_l); ... (1)<br />
└ mutex_unlock(&conn->chan_lock);<br />
chan->conf_state ... (4) chan_lock);<br />
│ foreach chan in conn->chan_l: ... (2)<br />
│ l2cap_chan_put(chan);<br />
│ l2cap_chan_destroy<br />
│ kfree(chan) ... (3) chan_lock);<br />
<br />
==================================================================<br />
BUG: KASAN: slab-use-after-free in instrument_atomic_read<br />
include/linux/instrumented.h:68 [inline]<br />
BUG: KASAN: slab-use-after-free in _test_bit<br />
include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]<br />
BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0<br />
net/bluetooth/l2cap_core.c:4260<br />
Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311
Impact
Base Score 3.x
6.80
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- http://www.openwall.com/lists/oss-security/2024/05/30/1
- http://www.openwall.com/lists/oss-security/2024/05/30/2
- https://git.kernel.org/stable/c/4d7b41c0e43995b0e992b9f8903109275744b658
- https://git.kernel.org/stable/c/826af9d2f69567c646ff46d10393d47e30ad23c6
- https://git.kernel.org/stable/c/cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5