CVE-2024-36013

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: L2CAP: corrige slab-use-after-free en l2cap_connect() Amplia una sección crítica para evitar que chan se libere anticipadamente. También anule el tipo de retorno l2cap_connect(). Nada utiliza el valor devuelto, pero es feo devolver un puntero potencialmente liberado. Anularlo ayudará con los backports porque los kernels anteriores usaban el valor de retorno. Ahora la compilación se interrumpirá en los núcleos en los que este parche no sea una solución completa. Resumen de la pila de llamadas: [usar] l2cap_bredr_sig_cmd l2cap_connect ? mutex_lock(&conn->chan_lock); ? chan = pchan->ops->new_connection(pchan); <-alloc chan? __l2cap_chan_add(conexión, chan); ? l2cap_chan_hold(chan); ? list_add(&chan->lista, &conn->chan_l); ... (1) ? mutex_unlock(&conn->chan_lock); chan->conf_state... (4) <- usar después de gratis [gratis] l2cap_conn_del? mutex_lock(&conn->chan_lock); ? foreach chan en conn->chan_l: ... (2)? l2cap_chan_put(chan); ? l2cap_chan_destroy? kfree(chan) ... (3) <- chan liberado? mutex_unlock(&conn->chan_lock); ==================================================== ================ ERROR: KASAN: slab-use-after-free en instrument_atomic_read include/linux/instrumented.h:68 [en línea] ERROR: KASAN: slab-use-after -free en _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [en línea] ERROR: KASAN: slab-use-after-free en l2cap_connect+0xa67/0x11a0 net/bluetooth/l2cap_core.c:4260 Lectura del tamaño 8 en addr ffff88810bf040a0 por tarea kworker/u3:1/311

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect() Extend a critical section to prevent chan from early freeing. Also make the l2cap_connect() return type void. Nothing is using the returned value but it is ugly to return a potentially freed pointer. Making it void will help with backports because earlier kernels did use the return value. Now the compile will break for kernels where this patch is not a complete fix. Call stack summary: [use] l2cap_bredr_sig_cmd l2cap_connect ┌ mutex_lock(&conn->chan_lock); │ chan = pchan->ops->new_connection(pchan); <- alloc chan │ __l2cap_chan_add(conn, chan); │ l2cap_chan_hold(chan); │ list_add(&chan->list, &conn->chan_l); ... (1) └ mutex_unlock(&conn->chan_lock); chan->conf_state ... (4) <- use after free [free] l2cap_conn_del ┌ mutex_lock(&conn->chan_lock); │ foreach chan in conn->chan_l: ... (2) │ l2cap_chan_put(chan); │ l2cap_chan_destroy │ kfree(chan) ... (3) <- chan freed └ mutex_unlock(&conn->chan_lock); ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: slab-use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0 net/bluetooth/l2cap_core.c:4260 Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311

Benedict Schlüter, Supraja Sridhara, Andrin Bertschi, and Shweta Shinde discovered that an untrusted hypervisor could inject malicious #VC interrupts and compromise the security guarantees of AMD SEV-SNP. This flaw is known as WeSee. A local attacker in control of the hypervisor could use this to expose sensitive information or possibly execute arbitrary code in the trusted execution environment. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.