Описание
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix double free in hci_conn_cleanup
syzbot reports a slab use-after-free in hci_conn_hash_flush [1]. After releasing an object using hci_conn_del_sysfs in the hci_conn_cleanup function, releasing the same object again using the hci_dev_put and hci_conn_put functions causes a double free. Here's a simplified flow:
hci_conn_del_sysfs: hci_dev_put put_device kobject_put kref_put kobject_release kobject_cleanup kfree_const kfree(name)
hci_dev_put: ... kfree(name)
hci_conn_put: put_device ... kfree(name)
This patch drop the hci_dev_put and hci_conn_put function call in hci_conn_cleanup function, because the object is freed in hci_conn_del_sysfs function.
This patch also fixes the refcounting in hci_conn_add_sysfs() and hci_conn_del_sysfs() to take into account device_add() failures.
This fixes CVE-2023-28464.
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix double free in hci_conn_cleanup
syzbot reports a slab use-after-free in hci_conn_hash_flush [1]. After releasing an object using hci_conn_del_sysfs in the hci_conn_cleanup function, releasing the same object again using the hci_dev_put and hci_conn_put functions causes a double free. Here's a simplified flow:
hci_conn_del_sysfs: hci_dev_put put_device kobject_put kref_put kobject_release kobject_cleanup kfree_const kfree(name)
hci_dev_put: ... kfree(name)
hci_conn_put: put_device ... kfree(name)
This patch drop the hci_dev_put and hci_conn_put function call in hci_conn_cleanup function, because the object is freed in hci_conn_del_sysfs function.
This patch also fixes the refcounting in hci_conn_add_sysfs() and hci_conn_del_sysfs() to take into account device_add() failures.
This fixes CVE-2023-28464.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2023-52830
- https://git.kernel.org/stable/c/3c4236f1b2a715e878a06599fa8b0cc21f165d28
- https://git.kernel.org/stable/c/53d61daf35b1bbf3ae06e852ee107aa2f05b3776
- https://git.kernel.org/stable/c/56a4fdde95ed98d864611155f6728983e199e198
- https://git.kernel.org/stable/c/5c53afc766e07098429520b7677eaa164b593451
- https://git.kernel.org/stable/c/87624b1f9b781549e69f92db7ede012a21cec275
- https://git.kernel.org/stable/c/a85fb91e3d728bdfc80833167e8162cce8bc7004
- https://git.kernel.org/stable/c/ba7088769800d9892a7e4f35c3137a5b3e65410b
- https://git.kernel.org/stable/c/fc666d1b47518a18519241cae213de1babd4a4ba
CVE ID
Связанные уязвимости
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
[REJECTED CVE] A vulnerability was identified in the Bluetooth subsystem of the Linux kernel within the hci_conn_cleanup function. When cleaning up connections, the same object could be freed multiple times due to redundant calls to hci_dev_put and hci_conn_put after it was already released by hci_conn_del_sysfs.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.