CVE-2024-26886
Bluetooth: af_bluetooth: Fix deadlock
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: af_bluetooth: Fix deadlock
Attemting to do sock_lock on .recvmsg may cause a deadlock as shown
bellow, so instead of using sock_sock this uses sk_receive_queue.lock
on bt_sock_ioctl to avoid the UAF:
INFO: task kworker/u9:1:121 blocked for more than 30 seconds.
Not tainted 6.7.6-lemon #183
Workqueue: hci0 hci_rx_work
Call Trace:
<TASK>
__schedule+0x37d/0xa00
schedule+0x32/0xe0
__lock_sock+0x68/0xa0
? __pfx_autoremove_wake_function+0x10/0x10
lock_sock_nested+0x43/0x50
l2cap_sock_recv_cb+0x21/0xa0
l2cap_recv_frame+0x55b/0x30a0
? psi_task_switch+0xeb/0x270
? finish_task_switch.isra.0+0x93/0x2a0
hci_rx_work+0x33a/0x3f0
process_one_work+0x13a/0x2f0
worker_thread+0x2f0/0x410
? __pfx_worker_thread+0x10/0x10
kthread+0xe0/0x110
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2c/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Bluetooth: af_bluetooth: Reparar interbloqueo Intentar ejecutar sock_lock en .recvmsg puede causar un interbloqueo como se muestra a continuación, por lo que en lugar de usar sock_sock, usa sk_receive_queue.lock en bt_sock_ioctl para evitar el UAF: INFORMACIÓN: tarea kworker/u9:1:121 bloqueada durante más de 30 segundos. No contaminado 6.7.6-lemon #183 Cola de trabajo: hci0 hci_rx_work Seguimiento de llamadas: __schedule+0x37d/0xa00 Schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270? terminar_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 proceso_one_work+0x13a/0x2f0 trabajador_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30
A flaw was found in the Linux kernel’s Bluetooth subsystem, specifically within the af_bluetooth module. The issue arises when attempting to perform a sock_lock on the .recvmsg method, leading to a deadlock situation. In this scenario, multiple tasks wait indefinitely for a resource, causing significant performance degradation or system crashes.
The vulnerability occurs during Bluetooth operations, where tasks are blocked for more than 30 seconds, creating potential instability. The solution was to replace the sock_sock lock with the sk_receive_queue.lock in the bt_sock_ioctl function to prevent a use-after-free (UAF) condition and avoid the deadlock.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-19 CVE Reserved
- 2024-04-17 CVE Published
- 2024-11-18 EPSS Updated
- 2024-12-19 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-416: Use After Free
- CWE-833: Deadlock
CAPEC
References (13)
URL | Tag | Source |
---|---|---|
https://git.kernel.org/stable/c/37f71e2c9f515834841826f4eb68ec33cfb2a1ff | Vuln. Introduced | |
https://git.kernel.org/stable/c/1d576c3a5af850bf11fbd103f9ba11aa6d6061fb | Vuln. Introduced | |
https://git.kernel.org/stable/c/2e07e8348ea454615e268222ae3fc240421be768 | Vuln. Introduced | |
https://git.kernel.org/stable/c/db1b14eec8c61a20374de9f9c2ddc6c9406a8c42 | Vuln. Introduced | |
https://git.kernel.org/stable/c/2b16d960c79abc397f102c3d23d30005b68cb036 | Vuln. Introduced |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2024-26886 | 2024-09-18 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2275678 | 2024-09-18 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.1.70 < 6.1.83 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.70 < 6.1.83" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.1.70 < 6.1.118 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.70 < 6.1.118" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.6.9 < 6.6.23 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.9 < 6.6.23" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.7 < 6.7.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.7.11" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.7 < 6.8.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.8.2" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.7 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.9" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 5.10.206 Search vendor "Linux" for product "Linux Kernel" and version "5.10.206" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 5.15.146 Search vendor "Linux" for product "Linux Kernel" and version "5.15.146" | en |
Affected
|