In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix double free in hci_conn_cleanup syzbot reports a slab use-after-free in hci_conn_hash_flush [1]. After releasing an object using hci_conn_del_sysfs in the hci_conn_cleanup function, releasing the same object again using the hci_dev_put and hci_conn_put functions causes a double free. Here’s a simplified flow: hci_conn_del_sysfs: hci_dev_put put_device kobject_put kref_put kobject_release kobject_cleanup kfree_const kfree(name) hci_dev_put: … kfree(name) hci_conn_put: put_device … kfree(name) This patch drop the hci_dev_put and hci_conn_put function call in hci_conn_cleanup function, because the object is freed in hci_conn_del_sysfs function. This patch also fixes the refcounting in hci_conn_add_sysfs() and hci_conn_del_sysfs() to take into account device_add() failures. This fixes CVE-2023-28464.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | linux | < 6.1.64-1 | linux_6.1.64-1_all.deb |
Debian | 11 | all | linux | < 5.10.205-1 | linux_5.10.205-1_all.deb |
Debian | 10 | all | linux | < 4.19.304-1 | linux_4.19.304-1_all.deb |
Debian | 999 | all | linux | < 6.6.8-1 | linux_6.6.8-1_all.deb |
Debian | 13 | all | linux | < 6.6.8-1 | linux_6.6.8-1_all.deb |