CVE-2024-49950

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: Fix uaf in l2cap_connect<br /> <br /> [Syzbot reported]<br /> BUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949<br /> Read of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54<br /> <br /> CPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024<br /> Workqueue: hci2 hci_rx_work<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:93 [inline]<br /> dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119<br /> print_address_description mm/kasan/report.c:377 [inline]<br /> print_report+0xc3/0x620 mm/kasan/report.c:488<br /> kasan_report+0xd9/0x110 mm/kasan/report.c:601<br /> l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949<br /> l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline]<br /> l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline]<br /> l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline]<br /> l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825<br /> l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514<br /> hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline]<br /> hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028<br /> process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231<br /> process_scheduled_works kernel/workqueue.c:3312 [inline]<br /> worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389<br /> kthread+0x2c1/0x3a0 kernel/kthread.c:389<br /> ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br /> ...<br /> <br /> Freed by task 5245:<br /> kasan_save_stack+0x33/0x60 mm/kasan/common.c:47<br /> kasan_save_track+0x14/0x30 mm/kasan/common.c:68<br /> kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579<br /> poison_slab_object+0xf7/0x160 mm/kasan/common.c:240<br /> __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256<br /> kasan_slab_free include/linux/kasan.h:184 [inline]<br /> slab_free_hook mm/slub.c:2256 [inline]<br /> slab_free mm/slub.c:4477 [inline]<br /> kfree+0x12a/0x3b0 mm/slub.c:4598<br /> l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline]<br /> kref_put include/linux/kref.h:65 [inline]<br /> l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline]<br /> l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802<br /> l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241<br /> hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]<br /> hci_conn_failed+0x1c3/0x370 net/bluetooth/hci_conn.c:1265<br /> hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583<br /> abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917<br /> hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328<br /> process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231<br /> process_scheduled_works kernel/workqueue.c:3312 [inline]<br /> worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389<br /> kthread+0x2c1/0x3a0 kernel/kthread.c:389<br /> ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244