CVE-2024-36013

Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()

Severity Score

6.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()

Extend a critical section to prevent chan from early freeing.
Also make the l2cap_connect() return type void. Nothing is using the
returned value but it is ugly to return a potentially freed pointer.
Making it void will help with backports because earlier kernels did use
the return value. Now the compile will break for kernels where this
patch is not a complete fix.

Call stack summary:

[use]
l2cap_bredr_sig_cmd
l2cap_connect
┌ mutex_lock(&conn->chan_lock);
│ chan = pchan->ops->new_connection(pchan); <- alloc chan
│ __l2cap_chan_add(conn, chan);
│ l2cap_chan_hold(chan);
│ list_add(&chan->list, &conn->chan_l); ... (1)
└ mutex_unlock(&conn->chan_lock);
chan->conf_state ... (4) <- use after free

[free]
l2cap_conn_del
┌ mutex_lock(&conn->chan_lock);
│ foreach chan in conn->chan_l: ... (2)
│ l2cap_chan_put(chan);
│ l2cap_chan_destroy
│ kfree(chan) ... (3) <- chan freed
└ mutex_unlock(&conn->chan_lock);

==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read
include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in _test_bit
include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0
net/bluetooth/l2cap_core.c:4260
Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: L2CAP: corrige slab-use-after-free en l2cap_connect() Amplia una sección crítica para evitar que chan se libere anticipadamente. También anule el tipo de retorno l2cap_connect(). Nada utiliza el valor devuelto, pero es feo devolver un puntero potencialmente liberado. Anularlo ayudará con los backports porque los kernels anteriores usaban el valor de retorno. Ahora la compilación se interrumpirá en los núcleos en los que este parche no sea una solución completa. Resumen de la pila de llamadas: [usar] l2cap_bredr_sig_cmd l2cap_connect ? mutex_lock(&conn->chan_lock); ? chan = pchan->ops->new_connection(pchan); <-alloc chan? __l2cap_chan_add(conexión, chan); ? l2cap_chan_hold(chan); ? list_add(&chan->lista, &conn->chan_l); ... (1) ? mutex_unlock(&conn->chan_lock); chan->conf_state... (4) <- usar después de gratis [gratis] l2cap_conn_del? mutex_lock(&conn->chan_lock); ? foreach chan en conn->chan_l: ... (2)? l2cap_chan_put(chan); ? l2cap_chan_destroy? kfree(chan) ... (3) <- chan liberado? mutex_unlock(&conn->chan_lock); ==================================================== ================ ERROR: KASAN: slab-use-after-free en instrument_atomic_read include/linux/instrumented.h:68 [en línea] ERROR: KASAN: slab-use-after -free en _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [en línea] ERROR: KASAN: slab-use-after-free en l2cap_connect+0xa67/0x11a0 net/bluetooth/l2cap_core.c:4260 Lectura del tamaño 8 en addr ffff88810bf040a0 por tarea kworker/u3:1/311

*Credits: N/A

CVSS Scores

CISAv3.1 6.8

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-05-17 CVE Reserved
2024-05-23 CVE Published
2024-05-26 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (6)

URL	Tag	Source
https://git.kernel.org/stable/c/73ffa904b78287f6acf8797e040150aa26a4af4a	Vuln. Introduced
http://www.openwall.com/lists/oss-security/2024/05/30/1
http://www.openwall.com/lists/oss-security/2024/05/30/2

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5	2024-05-25
https://git.kernel.org/stable/c/826af9d2f69567c646ff46d10393d47e30ad23c6	2024-05-25
https://git.kernel.org/stable/c/4d7b41c0e43995b0e992b9f8903109275744b658	2024-05-03

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.0 < 6.6.32 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.0 < 6.6.32"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.0 < 6.8.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.0 < 6.8.11"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.0 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.0 < 6.9"		en		Affected