Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-21969

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
01/04/2025
Last modified:
01/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd<br /> <br /> After the hci sync command releases l2cap_conn, the hci receive data work<br /> queue references the released l2cap_conn when sending to the upper layer.<br /> Add hci dev lock to the hci receive data work queue to synchronize the two.<br /> <br /> [1]<br /> BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954<br /> Read of size 8 at addr ffff8880271a4000 by task kworker/u9:2/5837<br /> <br /> CPU: 0 UID: 0 PID: 5837 Comm: kworker/u9:2 Not tainted 6.13.0-rc5-syzkaller-00163-gab75170520d4 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br /> Workqueue: hci1 hci_rx_work<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0x169/0x550 mm/kasan/report.c:489<br /> kasan_report+0x143/0x180 mm/kasan/report.c:602<br /> l2cap_build_cmd net/bluetooth/l2cap_core.c:2964 [inline]<br /> l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954<br /> l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5502 [inline]<br /> l2cap_sig_channel net/bluetooth/l2cap_core.c:5538 [inline]<br /> l2cap_recv_frame+0x221f/0x10db0 net/bluetooth/l2cap_core.c:6817<br /> hci_acldata_packet net/bluetooth/hci_core.c:3797 [inline]<br /> hci_rx_work+0x508/0xdb0 net/bluetooth/hci_core.c:4040<br /> process_one_work kernel/workqueue.c:3229 [inline]<br /> process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310<br /> worker_thread+0x870/0xd30 kernel/workqueue.c:3391<br /> kthread+0x2f0/0x390 kernel/kthread.c:389<br /> ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br /> <br /> <br /> Allocated by task 5837:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br /> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br /> __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394<br /> kasan_kmalloc include/linux/kasan.h:260 [inline]<br /> __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329<br /> kmalloc_noprof include/linux/slab.h:901 [inline]<br /> kzalloc_noprof include/linux/slab.h:1037 [inline]<br /> l2cap_conn_add+0xa9/0x8e0 net/bluetooth/l2cap_core.c:6860<br /> l2cap_connect_cfm+0x115/0x1090 net/bluetooth/l2cap_core.c:7239<br /> hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline]<br /> hci_remote_features_evt+0x68e/0xac0 net/bluetooth/hci_event.c:3726<br /> hci_event_func net/bluetooth/hci_event.c:7473 [inline]<br /> hci_event_packet+0xac2/0x1540 net/bluetooth/hci_event.c:7525<br /> hci_rx_work+0x3f3/0xdb0 net/bluetooth/hci_core.c:4035<br /> process_one_work kernel/workqueue.c:3229 [inline]<br /> process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310<br /> worker_thread+0x870/0xd30 kernel/workqueue.c:3391<br /> kthread+0x2f0/0x390 kernel/kthread.c:389<br /> ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br /> <br /> Freed by task 54:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br /> kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582<br /> poison_slab_object mm/kasan/common.c:247 [inline]<br /> __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264<br /> kasan_slab_free include/linux/kasan.h:233 [inline]<br /> slab_free_hook mm/slub.c:2353 [inline]<br /> slab_free mm/slub.c:4613 [inline]<br /> kfree+0x196/0x430 mm/slub.c:4761<br /> l2cap_connect_cfm+0xcc/0x1090 net/bluetooth/l2cap_core.c:7235<br /> hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline]<br /> hci_conn_failed+0x287/0x400 net/bluetooth/hci_conn.c:1266<br /> hci_abort_conn_sync+0x56c/0x11f0 net/bluetooth/hci_sync.c:5603<br /> hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332<br /> process_one_work kernel/workqueue.c:3229 [inline]<br /> process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310<br /> worker_thread+0x870/0xd30 kernel/workqueue.c:3391<br /> kthread+0x2f0/0x390 kernel/kthread.c:389<br /> ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.6.84 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.20 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.13.8 (excluding)
cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools