Vulnerabilidad en kernel de Linux (CVE-2024-27399)

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: l2cap: corrige null-ptr-deref en l2cap_chan_timeout Existe una condición de ejecución entre l2cap_chan_timeout() y l2cap_chan_del(). Cuando usamos l2cap_chan_del() para eliminar el canal, chan->conn se establecerá en nulo. Pero se podría desreferenciar la conexión nuevamente en mutex_lock() de l2cap_chan_timeout(). Como resultado, se producirá el error de desreferencia del puntero nulo. El informe KASAN activado por POC se muestra a continuación: [472.074580] ====================================== ============================= [472.075284] ERROR: KASAN: null-ptr-deref en mutex_lock+0x68/0xc0 [472.075308] Escritura de tamaño 8 en la dirección 0000000000000158 mediante tarea kworker/0:0/7 [ 472.075308] [ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36 [ 472. 075308 ] Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [ 472.075308] Cola de trabajo: eventos l2cap_chan_timeout [ 472.075308] Seguimiento de llamadas: [ 472.075308] [ 4 72.075308 ] dump_stack_lvl+0x137/0x1a0 [ 472.075308] print_report+0x101/0x250 [ 472.075308] ? __virt_addr_valid+0x77/0x160 [472.075308] ? mutex_lock+0x68/0xc0 [ 472.075308] kasan_report+0x139/0x170 [ 472.075308] ? mutex_lock+0x68/0xc0 [ 472.075308] kasan_check_range+0x2c3/0x2e0 [ 472.075308] mutex_lock+0x68/0xc0 [ 472.075308] l2cap_chan_timeout+0x181/0x300 [ 472.075308] +0x5d2/0xe00 [ 472.075308] hilo_trabajador+0xe1d/0x1660 [ 472.075308] ? pr_cont_work+0x5e0/0x5e0 [ 472.075308] kthread+0x2b7/0x350 [ 472.075308] ? pr_cont_work+0x5e0/0x5e0 [472.075308]? kthread_blkcg+0xd0/0xd0 [ 472.075308] ret_from_fork+0x4d/0x80 [ 472.075308] ? kthread_blkcg+0xd0/0xd0 [ 472.075308] ret_from_fork_asm+0x11/0x20 [ 472.075308] [ 472.075308] ============================ ======================================= [ 472.094860] Deshabilitar la depuración de bloqueo debido a la corrupción del kernel [ 472.096136] ERROR: desreferencia del puntero NULL del kernel, dirección: 0000000000000158 [ 472.096136] #PF: acceso de escritura del supervisor en modo kernel [ 472.096136] #PF: error_code(0x0002) - página no presente [ 472.096136] PGD 0 P4D 0 [ 4 72.096136] Ups : 0002 [#1] PREEMPT SMP KASAN NOPTI [ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Contaminado: GB 6.9.0-rc5-00356-g78c0094a146b #36 [ 472.096136] Nombre de hardware: PC estándar QEMU ( i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [ 472.096136] Cola de trabajo: eventos l2cap_chan_timeout [ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0 [ 472.09613 6] Código: ser 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88 [ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246 [ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865 [ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78 [ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7 f R09: 1ffff11000e89f8f [ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000 [ 472.096136] R13: 0000000000000158 : ffff88800744fc78 R15: ffff888007405a00 [ 472.096136 ] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000 [ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 00000000800500 33 [ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0 [ 472.096136] Seguimiento de llamadas: [ 472.096136] [ 472.096136] ? __die_body+0x8d/0xe0 [ 472.096136] ? page_fault_oops+0x6b8/0x9a0 [472.096136]? kernelmode_fixup_or_oops+0x20c/0x2a0 [472.096136]? do_user_addr_fault+0x1027/0x1340 [472.096136]? _printk+0x7a/0xa0 [ 472.096136] ? mutex_lock+0x68/0xc0 [472.096136]? add_taint+0x42/0xd0 [472.096136]? exc_page_fault+0x6a/0x1b0 [472.096136]? asm_exc_page_fault+0x26/0x30 [472.096136]? mutex_lock+0x75/0xc0 [472.096136]? mutex_lock+0x88/0xc0 [472.096136]? mutex_lock+0x75/0xc0 [472.096136] l2cap_chan_timeo ---truncado---