Lucene search

K
cve416baaa9-dc9f-4396-8d5f-8c081fb06d67CVE-2024-36013
HistoryMay 23, 2024 - 7:15 a.m.

CVE-2024-36013

2024-05-2307:15:08
416baaa9-dc9f-4396-8d5f-8c081fb06d67
web.nvd.nist.gov
55
linux kernel
cve-2024-36013
use-after-free
l2cap_connect
vulnerability

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.5%

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()

Extend a critical section to prevent chan from early freeing.
Also make the l2cap_connect() return type void. Nothing is using the
returned value but it is ugly to return a potentially freed pointer.
Making it void will help with backports because earlier kernels did use
the return value. Now the compile will break for kernels where this
patch is not a complete fix.

Call stack summary:

[use]
l2cap_bredr_sig_cmd
l2cap_connect
ā”Œ mutex_lock(&conn->chan_lock);
ā”‚ chan = pchan->ops->new_connection(pchan); <- alloc chan
ā”‚ __l2cap_chan_add(conn, chan);
ā”‚ l2cap_chan_hold(chan);
ā”‚ list_add(&chan->list, &conn->chan_l); ā€¦ (1)
ā”” mutex_unlock(&conn->chan_lock);
chan->conf_state ā€¦ (4) <- use after free

[free]
l2cap_conn_del
ā”Œ mutex_lock(&conn->chan_lock);
ā”‚ foreach chan in conn->chan_l: ā€¦ (2)
ā”‚ l2cap_chan_put(chan);
ā”‚ l2cap_chan_destroy
ā”‚ kfree(chan) ā€¦ (3) <- chan freed
ā”” mutex_unlock(&conn->chan_lock);

==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read
include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in _test_bit
include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0
net/bluetooth/l2cap_core.c:4260
Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311

Affected configurations

Vulners
Node
linuxlinux_kernelRange3.0ā€“6.6.32
OR
linuxlinux_kernelRange6.7.0ā€“6.8.11
OR
linuxlinux_kernelRange6.9.0ā‰„

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/bluetooth/l2cap_core.c"
    ],
    "versions": [
      {
        "version": "73ffa904b782",
        "lessThan": "cfe560c7050b",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "73ffa904b782",
        "lessThan": "826af9d2f695",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "73ffa904b782",
        "lessThan": "4d7b41c0e439",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/bluetooth/l2cap_core.c"
    ],
    "versions": [
      {
        "version": "3.0",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "3.0",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.32",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.8.11",
        "lessThanOrEqual": "6.8.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.5%