CVE-2024-58013

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
27/02/2025
Last modified:
24/03/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync<br /> <br /> This fixes the following crash:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543<br /> Read of size 8 at addr ffff88814128f898 by task kworker/u9:4/5961<br /> <br /> CPU: 1 UID: 0 PID: 5961 Comm: kworker/u9:4 Not tainted 6.12.0-syzkaller-10684-gf1cd565ce577 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br /> Workqueue: hci0 hci_cmd_sync_work<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0x169/0x550 mm/kasan/report.c:489<br /> kasan_report+0x143/0x180 mm/kasan/report.c:602<br /> mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543<br /> hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332<br /> process_one_work kernel/workqueue.c:3229 [inline]<br /> process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310<br /> worker_thread+0x870/0xd30 kernel/workqueue.c:3391<br /> kthread+0x2f0/0x390 kernel/kthread.c:389<br /> ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br /> <br /> <br /> Allocated by task 16026:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br /> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br /> __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394<br /> kasan_kmalloc include/linux/kasan.h:260 [inline]<br /> __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314<br /> kmalloc_noprof include/linux/slab.h:901 [inline]<br /> kzalloc_noprof include/linux/slab.h:1037 [inline]<br /> mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269<br /> mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296<br /> remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568<br /> hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712<br /> hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832<br /> sock_sendmsg_nosec net/socket.c:711 [inline]<br /> __sock_sendmsg+0x221/0x270 net/socket.c:726<br /> sock_write_iter+0x2d7/0x3f0 net/socket.c:1147<br /> new_sync_write fs/read_write.c:586 [inline]<br /> vfs_write+0xaeb/0xd30 fs/read_write.c:679<br /> ksys_write+0x18f/0x2b0 fs/read_write.c:731<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Freed by task 16022:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br /> kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582<br /> poison_slab_object mm/kasan/common.c:247 [inline]<br /> __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264<br /> kasan_slab_free include/linux/kasan.h:233 [inline]<br /> slab_free_hook mm/slub.c:2338 [inline]<br /> slab_free mm/slub.c:4598 [inline]<br /> kfree+0x196/0x420 mm/slub.c:4746<br /> mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259<br /> __mgmt_power_off+0x183/0x430 net/bluetooth/mgmt.c:9550<br /> hci_dev_close_sync+0x6c4/0x11c0 net/bluetooth/hci_sync.c:5208<br /> hci_dev_do_close net/bluetooth/hci_core.c:483 [inline]<br /> hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508<br /> sock_do_ioctl+0x158/0x460 net/socket.c:1209<br /> sock_ioctl+0x626/0x8e0 net/socket.c:1328<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:906 [inline]<br /> __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.1.129 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.78 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.13.3 (excluding)