CVE-2024-58013
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
27/02/2025
Last modified:
24/03/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync<br />
<br />
This fixes the following crash:<br />
<br />
==================================================================<br />
BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543<br />
Read of size 8 at addr ffff88814128f898 by task kworker/u9:4/5961<br />
<br />
CPU: 1 UID: 0 PID: 5961 Comm: kworker/u9:4 Not tainted 6.12.0-syzkaller-10684-gf1cd565ce577 #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br />
Workqueue: hci0 hci_cmd_sync_work<br />
Call Trace:<br />
<br />
__dump_stack lib/dump_stack.c:94 [inline]<br />
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br />
print_address_description mm/kasan/report.c:378 [inline]<br />
print_report+0x169/0x550 mm/kasan/report.c:489<br />
kasan_report+0x143/0x180 mm/kasan/report.c:602<br />
mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543<br />
hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332<br />
process_one_work kernel/workqueue.c:3229 [inline]<br />
process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310<br />
worker_thread+0x870/0xd30 kernel/workqueue.c:3391<br />
kthread+0x2f0/0x390 kernel/kthread.c:389<br />
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147<br />
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br />
<br />
<br />
Allocated by task 16026:<br />
kasan_save_stack mm/kasan/common.c:47 [inline]<br />
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br />
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br />
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394<br />
kasan_kmalloc include/linux/kasan.h:260 [inline]<br />
__kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314<br />
kmalloc_noprof include/linux/slab.h:901 [inline]<br />
kzalloc_noprof include/linux/slab.h:1037 [inline]<br />
mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269<br />
mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296<br />
remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568<br />
hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712<br />
hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832<br />
sock_sendmsg_nosec net/socket.c:711 [inline]<br />
__sock_sendmsg+0x221/0x270 net/socket.c:726<br />
sock_write_iter+0x2d7/0x3f0 net/socket.c:1147<br />
new_sync_write fs/read_write.c:586 [inline]<br />
vfs_write+0xaeb/0xd30 fs/read_write.c:679<br />
ksys_write+0x18f/0x2b0 fs/read_write.c:731<br />
do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br />
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
<br />
Freed by task 16022:<br />
kasan_save_stack mm/kasan/common.c:47 [inline]<br />
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br />
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582<br />
poison_slab_object mm/kasan/common.c:247 [inline]<br />
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264<br />
kasan_slab_free include/linux/kasan.h:233 [inline]<br />
slab_free_hook mm/slub.c:2338 [inline]<br />
slab_free mm/slub.c:4598 [inline]<br />
kfree+0x196/0x420 mm/slub.c:4746<br />
mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259<br />
__mgmt_power_off+0x183/0x430 net/bluetooth/mgmt.c:9550<br />
hci_dev_close_sync+0x6c4/0x11c0 net/bluetooth/hci_sync.c:5208<br />
hci_dev_do_close net/bluetooth/hci_core.c:483 [inline]<br />
hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508<br />
sock_do_ioctl+0x158/0x460 net/socket.c:1209<br />
sock_ioctl+0x626/0x8e0 net/socket.c:1328<br />
vfs_ioctl fs/ioctl.c:51 [inline]<br />
__do_sys_ioctl fs/ioctl.c:906 [inline]<br />
__se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892<br />
do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br />
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1.129 (excluding) | |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.78 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.14 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.13.3 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0f3d05aacbfcf3584bbd9caaee34cb02508dab68
- https://git.kernel.org/stable/c/26fbd3494a7dd26269cb0817c289267dbcfdec06
- https://git.kernel.org/stable/c/4ebbcb9bc794e5be647ee28fdf14eb1ae0659405
- https://git.kernel.org/stable/c/75e65b983c5e2ee51962bfada98a79d805f28827
- https://git.kernel.org/stable/c/ebb90f23f0ac21044aacf4c61cc5d7841fe99987