CVE-2023-53673

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_event: call disconnect callback before deleting conn<br /> <br /> In hci_cs_disconnect, we do hci_conn_del even if disconnection failed.<br /> <br /> ISO, L2CAP and SCO connections refer to the hci_conn without<br /> hci_conn_get, so disconn_cfm must be called so they can clean up their<br /> conn, otherwise use-after-free occurs.<br /> <br /> ISO:<br /> ==========================================================<br /> iso_sock_connect:880: sk 00000000eabd6557<br /> iso_connect_cis:356: 70:1a:b8:98:ff:a2 -&gt; 28:3d:c2:4a:7e:da<br /> ...<br /> iso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073<br /> hci_dev_put:1487: hci0 orig refcnt 17<br /> __iso_chan_add:214: conn 00000000b6251073<br /> iso_sock_clear_timer:117: sock 00000000eabd6557 state 3<br /> ...<br /> hci_rx_work:4085: hci0 Event packet<br /> hci_event_packet:7601: hci0: event 0x0f<br /> hci_cmd_status_evt:4346: hci0: opcode 0x0406<br /> hci_cs_disconnect:2760: hci0: status 0x0c<br /> hci_sent_cmd_data:3107: hci0 opcode 0x0406<br /> hci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560<br /> hci_conn_unlink:1102: hci0: hcon 000000001696f1fd<br /> hci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2<br /> hci_chan_list_flush:2780: hcon 000000001696f1fd<br /> hci_dev_put:1487: hci0 orig refcnt 21<br /> hci_dev_put:1487: hci0 orig refcnt 20<br /> hci_req_cmd_complete:3978: opcode 0x0406 status 0x0c<br /> ... ...<br /> iso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557<br /> BUG: kernel NULL pointer dereference, address: 0000000000000668<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP PTI<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014<br /> RIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth<br /> ==========================================================<br /> <br /> L2CAP:<br /> ==================================================================<br /> hci_cmd_status_evt:4359: hci0: opcode 0x0406<br /> hci_cs_disconnect:2760: hci0: status 0x0c<br /> hci_sent_cmd_data:3085: hci0 opcode 0x0406<br /> hci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585<br /> hci_conn_unlink:1102: hci0: hcon ffff88800c999000<br /> hci_chan_list_flush:2780: hcon ffff88800c999000<br /> hci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280<br /> ...<br /> BUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth]<br /> Read of size 8 at addr ffff888018ddd298 by task bluetoothd/1175<br /> <br /> CPU: 0 PID: 1175 Comm: bluetoothd Tainted: G E 6.4.0-rc4+ #2<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x5b/0x90<br /> print_report+0xcf/0x670<br /> ? __virt_addr_valid+0xf8/0x180<br /> ? hci_send_acl+0x2d/0x540 [bluetooth]<br /> kasan_report+0xa8/0xe0<br /> ? hci_send_acl+0x2d/0x540 [bluetooth]<br /> hci_send_acl+0x2d/0x540 [bluetooth]<br /> ? __pfx___lock_acquire+0x10/0x10<br /> l2cap_chan_send+0x1fd/0x1300 [bluetooth]<br /> ? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth]<br /> ? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth]<br /> ? lock_release+0x1d5/0x3c0<br /> ? mark_held_locks+0x1a/0x90<br /> l2cap_sock_sendmsg+0x100/0x170 [bluetooth]<br /> sock_write_iter+0x275/0x280<br /> ? __pfx_sock_write_iter+0x10/0x10<br /> ? __pfx___lock_acquire+0x10/0x10<br /> do_iter_readv_writev+0x176/0x220<br /> ? __pfx_do_iter_readv_writev+0x10/0x10<br /> ? find_held_lock+0x83/0xa0<br /> ? selinux_file_permission+0x13e/0x210<br /> do_iter_write+0xda/0x340<br /> vfs_writev+0x1b4/0x400<br /> ? __pfx_vfs_writev+0x10/0x10<br /> ? __seccomp_filter+0x112/0x750<br /> ? populate_seccomp_data+0x182/0x220<br /> ? __fget_light+0xdf/0x100<br /> ? do_writev+0x19d/0x210<br /> do_writev+0x19d/0x210<br /> ? __pfx_do_writev+0x10/0x10<br /> ? mark_held_locks+0x1a/0x90<br /> do_syscall_64+0x60/0x90<br /> ? lockdep_hardirqs_on_prepare+0x149/0x210<br /> ? do_syscall_64+0x6c/0x90<br /> ? lockdep_hardirqs_on_prepare+0x149/0x210<br /> entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> RIP: 0033:0x7ff45cb23e64<br /> Code: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89<br /> RSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014<br /> RAX: ffffffffffffffda RBX: <br /> ---truncated---