Vulnerabilidad en kernel de Linux (CVE-2025-38473)
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
28/07/2025
Última modificación:
29/07/2025
Descripción
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: Se corrige el error null-ptr-deref en l2cap_sock_resume_cb(). syzbot reportó un error null-ptr-deref en l2cap_sock_resume_cb(). [0] l2cap_sock_resume_cb() presenta un problema similar, corregido con el commit 1bff51ea59a9 ("Bluetooth: Se corrige el error de use-after-free en lock_sock_nested()"). Dado que tanto l2cap_sock_kill() como l2cap_sock_resume_cb() se ejecutan bajo l2cap_sock_resume_cb(), podemos evitar el problema simplemente comprobando si chan->data es NULL. No se accederá al socket eliminado en l2cap_sock_resume_cb(). [0]: BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline] BUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] BUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 Write of size 8 at addr 0000000000000570 by task kworker/u9:0/52 CPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: hci0 hci_rx_work Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_report+0x58/0x84 mm/kasan/report.c:524 kasan_report+0xb0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189 __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37 instrument_atomic_write include/linux/instrumented.h:82 [inline] clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357 hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline] hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514 hci_event_func net/bluetooth/hci_event.c:7511 [inline] hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565 hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070 process_one_work+0x7e8/0x155c kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3321 [inline] worker_thread+0x958/0xed8 kernel/workqueue.c:3402 kthread+0x5fc/0x75c kernel/kthread.c:464 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847
Impacto
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/6d63901dcd592a1e3f71d7c6d78f9be5e8d7eef0
- https://git.kernel.org/stable/c/a0075accbf0d76c2dad1ad3993d2e944505d99a0
- https://git.kernel.org/stable/c/ac3a8147bb24314fb3e84986590148e79f9872ec
- https://git.kernel.org/stable/c/b97be7ee8a1cd96b89817cbd64a9f5cc16c17d08
- https://git.kernel.org/stable/c/c4f16f6b071a74ac7eefe5c28985285cbbe2cd96