CVE-2024-26886

Bluetooth: af_bluetooth: Fix deadlock

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: af_bluetooth: Fix deadlock

Attemting to do sock_lock on .recvmsg may cause a deadlock as shown
bellow, so instead of using sock_sock this uses sk_receive_queue.lock
on bt_sock_ioctl to avoid the UAF:

INFO: task kworker/u9:1:121 blocked for more than 30 seconds.
Not tainted 6.7.6-lemon #183
Workqueue: hci0 hci_rx_work
Call Trace:
<TASK>
__schedule+0x37d/0xa00
schedule+0x32/0xe0
__lock_sock+0x68/0xa0
? __pfx_autoremove_wake_function+0x10/0x10
lock_sock_nested+0x43/0x50
l2cap_sock_recv_cb+0x21/0xa0
l2cap_recv_frame+0x55b/0x30a0
? psi_task_switch+0xeb/0x270
? finish_task_switch.isra.0+0x93/0x2a0
hci_rx_work+0x33a/0x3f0
process_one_work+0x13a/0x2f0
worker_thread+0x2f0/0x410
? __pfx_worker_thread+0x10/0x10
kthread+0xe0/0x110
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2c/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Bluetooth: af_bluetooth: Reparar interbloqueo Intentar ejecutar sock_lock en .recvmsg puede causar un interbloqueo como se muestra a continuación, por lo que en lugar de usar sock_sock, usa sk_receive_queue.lock en bt_sock_ioctl para evitar el UAF: INFORMACIÓN: tarea kworker/u9:1:121 bloqueada durante más de 30 segundos. No contaminado 6.7.6-lemon #183 Cola de trabajo: hci0 hci_rx_work Seguimiento de llamadas: __schedule+0x37d/0xa00 Schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270? terminar_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 proceso_one_work+0x13a/0x2f0 trabajador_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30

A flaw was found in the Linux kernel’s Bluetooth subsystem, specifically within the af_bluetooth module. The issue arises when attempting to perform a sock_lock on the .recvmsg method, leading to a deadlock situation. In this scenario, multiple tasks wait indefinitely for a resource, causing significant performance degradation or system crashes.
The vulnerability occurs during Bluetooth operations, where tasks are blocked for more than 30 seconds, creating potential instability. The solution was to replace the sock_sock lock with the sk_receive_queue.lock in the bt_sock_ioctl function to prevent a use-after-free (UAF) condition and avoid the deadlock.

*Credits: N/A

CVSS Scores

Red Hatv3.1 5.3

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-17 CVE Published
2024-04-18 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-833: Deadlock

CAPEC

References (12)

URL	Tag	Source
https://git.kernel.org/stable/c/37f71e2c9f515834841826f4eb68ec33cfb2a1ff	Vuln. Introduced
https://git.kernel.org/stable/c/1d576c3a5af850bf11fbd103f9ba11aa6d6061fb	Vuln. Introduced
https://git.kernel.org/stable/c/2e07e8348ea454615e268222ae3fc240421be768	Vuln. Introduced
https://git.kernel.org/stable/c/db1b14eec8c61a20374de9f9c2ddc6c9406a8c42	Vuln. Introduced
https://git.kernel.org/stable/c/2b16d960c79abc397f102c3d23d30005b68cb036	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/cb8adca52f306563d958a863bb0cbae9c184d1ae	2024-03-26
https://git.kernel.org/stable/c/64be3c6154886200708da0dfe259705fb992416c	2024-03-26
https://git.kernel.org/stable/c/817e8138ce86001b2fa5c63d6ede756e205a01f7	2024-03-26
https://git.kernel.org/stable/c/2c9e2df022ef8b9d7fac58a04a2ef4ed25288955	2024-03-26
https://git.kernel.org/stable/c/f7b94bdc1ec107c92262716b073b3e816d4784fb	2024-03-06

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-26886	2024-09-18
https://bugzilla.redhat.com/show_bug.cgi?id=2275678	2024-09-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.70 < 6.1.83 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.70 < 6.1.83"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.9 < 6.6.23 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.9 < 6.6.23"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.7 < 6.7.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.7.11"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.7 < 6.8.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.8.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.7 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.10.206 Search vendor "Linux" for product "Linux Kernel" and version "5.10.206"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.15.146 Search vendor "Linux" for product "Linux Kernel" and version "5.15.146"		en		Affected