CVE-2024-53208

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync<br /> <br /> This fixes the following crash:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353<br /> Read of size 8 at addr ffff888029b4dd18 by task kworker/u9:0/54<br /> <br /> CPU: 1 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-01155-gf723224742fc #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024<br /> Workqueue: hci0 hci_cmd_sync_work<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:93 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119<br /> print_address_description mm/kasan/report.c:377 [inline]<br /> print_report+0x169/0x550 mm/kasan/report.c:488<br /> q kasan_report+0x143/0x180 mm/kasan/report.c:601<br /> set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353<br /> hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:328<br /> process_one_work kernel/workqueue.c:3231 [inline]<br /> process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312<br /> worker_thread+0x86d/0xd10 kernel/workqueue.c:3389<br /> kthread+0x2f0/0x390 kernel/kthread.c:389<br /> ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br /> <br /> <br /> Allocated by task 5247:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br /> poison_kmalloc_redzone mm/kasan/common.c:370 [inline]<br /> __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387<br /> kasan_kmalloc include/linux/kasan.h:211 [inline]<br /> __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4193<br /> kmalloc_noprof include/linux/slab.h:681 [inline]<br /> kzalloc_noprof include/linux/slab.h:807 [inline]<br /> mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269<br /> mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296<br /> set_powered+0x3cd/0x5e0 net/bluetooth/mgmt.c:1394<br /> hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712<br /> hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg+0x221/0x270 net/socket.c:745<br /> sock_write_iter+0x2dd/0x400 net/socket.c:1160<br /> new_sync_write fs/read_write.c:497 [inline]<br /> vfs_write+0xa72/0xc90 fs/read_write.c:590<br /> ksys_write+0x1a0/0x2c0 fs/read_write.c:643<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Freed by task 5246:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br /> kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579<br /> poison_slab_object+0xe0/0x150 mm/kasan/common.c:240<br /> __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256<br /> kasan_slab_free include/linux/kasan.h:184 [inline]<br /> slab_free_hook mm/slub.c:2256 [inline]<br /> slab_free mm/slub.c:4477 [inline]<br /> kfree+0x149/0x360 mm/slub.c:4598<br /> settings_rsp+0x2bc/0x390 net/bluetooth/mgmt.c:1443<br /> mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259<br /> __mgmt_power_off+0x112/0x420 net/bluetooth/mgmt.c:9455<br /> hci_dev_close_sync+0x665/0x11a0 net/bluetooth/hci_sync.c:5191<br /> hci_dev_do_close net/bluetooth/hci_core.c:483 [inline]<br /> hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508<br /> sock_do_ioctl+0x158/0x460 net/socket.c:1222<br /> sock_ioctl+0x629/0x8e0 net/socket.c:1341<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:907 [inline]<br /> __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83gv<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f