CVE-2024-36013

2024-05-2307:15:08

416baaa9-dc9f-4396-8d5f-8c081fb06d67

web.nvd.nist.gov

linux kernel

cve-2024-36013

use-after-free

l2cap_connect

vulnerability

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.5%

JSON

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()

Extend a critical section to prevent chan from early freeing.
Also make the l2cap_connect() return type void. Nothing is using the
returned value but it is ugly to return a potentially freed pointer.
Making it void will help with backports because earlier kernels did use
the return value. Now the compile will break for kernels where this
patch is not a complete fix.

Call stack summary:

[use]
l2cap_bredr_sig_cmd
l2cap_connect
┌ mutex_lock(&conn->chan_lock);
│ chan = pchan->ops->new_connection(pchan); <- alloc chan
│ __l2cap_chan_add(conn, chan);
│ l2cap_chan_hold(chan);
│ list_add(&chan->list, &conn->chan_l); … (1)
└ mutex_unlock(&conn->chan_lock);
chan->conf_state … (4) <- use after free

[free]
l2cap_conn_del
┌ mutex_lock(&conn->chan_lock);
│ foreach chan in conn->chan_l: … (2)
│ l2cap_chan_put(chan);
│ l2cap_chan_destroy
│ kfree(chan) … (3) <- chan freed
└ mutex_unlock(&conn->chan_lock);

==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read
include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in _test_bit
include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0
net/bluetooth/l2cap_core.c:4260
Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311

Affected configurations

Vulners

Node

linuxlinux_kernelRange3.0–6.6.32

linuxlinux_kernelRange6.7.0–6.8.11

linuxlinux_kernelRange6.9.0≥

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/bluetooth/l2cap_core.c"
    ],
    "versions": [
      {
        "version": "73ffa904b782",
        "lessThan": "cfe560c7050b",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "73ffa904b782",
        "lessThan": "826af9d2f695",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "73ffa904b782",
        "lessThan": "4d7b41c0e439",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/bluetooth/l2cap_core.c"
    ],
    "versions": [
      {
        "version": "3.0",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "3.0",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.32",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.8.11",
        "lessThanOrEqual": "6.8.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]