416baaa9-dc9f-4396-8d5f-8c081fb06d67NVD:CVE-2024-36013CVE-2024-36013
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()
Extend a critical section to prevent chan from early freeing.
Also make the l2cap_connect() return type void. Nothing is using the
returned value but it is ugly to return a potentially freed pointer.
Making it void will help with backports because earlier kernels did use
the return value. Now the compile will break for kernels where this
patch is not a complete fix.
Call stack summary:
[use]
l2cap_bredr_sig_cmd
l2cap_connect
ā mutex_lock(&conn->chan_lock);
ā chan = pchan->ops->new_connection(pchan); <- alloc chan
ā __l2cap_chan_add(conn, chan);
ā l2cap_chan_hold(chan);
ā list_add(&chan->list, &conn->chan_l); ā¦ (1)
ā mutex_unlock(&conn->chan_lock);
chan->conf_state ā¦ (4) <- use after free
[free]
l2cap_conn_del
ā mutex_lock(&conn->chan_lock);
ā foreach chan in conn->chan_l: ā¦ (2)
ā l2cap_chan_put(chan);
ā l2cap_chan_destroy
ā kfree(chan) ā¦ (3) <- chan freed
ā mutex_unlock(&conn->chan_lock);
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read
include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in _test_bit
include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0
net/bluetooth/l2cap_core.c:4260
Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311
Related
