CVE-2024-27399
Vulnerability from cvelistv5
Published
2024-05-13 10:24
Modified
2024-12-19 08:54
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout There is a race condition between l2cap_chan_timeout() and l2cap_chan_del(). When we use l2cap_chan_del() to delete the channel, the chan->conn will be set to null. But the conn could be dereferenced again in the mutex_lock() of l2cap_chan_timeout(). As a result the null pointer dereference bug will happen. The KASAN report triggered by POC is shown below: [ 472.074580] ================================================================== [ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0 [ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7 [ 472.075308] [ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36 [ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [ 472.075308] Workqueue: events l2cap_chan_timeout [ 472.075308] Call Trace: [ 472.075308] <TASK> [ 472.075308] dump_stack_lvl+0x137/0x1a0 [ 472.075308] print_report+0x101/0x250 [ 472.075308] ? __virt_addr_valid+0x77/0x160 [ 472.075308] ? mutex_lock+0x68/0xc0 [ 472.075308] kasan_report+0x139/0x170 [ 472.075308] ? mutex_lock+0x68/0xc0 [ 472.075308] kasan_check_range+0x2c3/0x2e0 [ 472.075308] mutex_lock+0x68/0xc0 [ 472.075308] l2cap_chan_timeout+0x181/0x300 [ 472.075308] process_one_work+0x5d2/0xe00 [ 472.075308] worker_thread+0xe1d/0x1660 [ 472.075308] ? pr_cont_work+0x5e0/0x5e0 [ 472.075308] kthread+0x2b7/0x350 [ 472.075308] ? pr_cont_work+0x5e0/0x5e0 [ 472.075308] ? kthread_blkcg+0xd0/0xd0 [ 472.075308] ret_from_fork+0x4d/0x80 [ 472.075308] ? kthread_blkcg+0xd0/0xd0 [ 472.075308] ret_from_fork_asm+0x11/0x20 [ 472.075308] </TASK> [ 472.075308] ================================================================== [ 472.094860] Disabling lock debugging due to kernel taint [ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158 [ 472.096136] #PF: supervisor write access in kernel mode [ 472.096136] #PF: error_code(0x0002) - not-present page [ 472.096136] PGD 0 P4D 0 [ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI [ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36 [ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [ 472.096136] Workqueue: events l2cap_chan_timeout [ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0 [ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88 [ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246 [ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865 [ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78 [ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f [ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000 [ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00 [ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000 [ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0 [ 472.096136] Call Trace: [ 472.096136] <TASK> [ 472.096136] ? __die_body+0x8d/0xe0 [ 472.096136] ? page_fault_oops+0x6b8/0x9a0 [ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0 [ 472.096136] ? do_user_addr_fault+0x1027/0x1340 [ 472.096136] ? _printk+0x7a/0xa0 [ 472.096136] ? mutex_lock+0x68/0xc0 [ 472.096136] ? add_taint+0x42/0xd0 [ 472.096136] ? exc_page_fault+0x6a/0x1b0 [ 472.096136] ? asm_exc_page_fault+0x26/0x30 [ 472.096136] ? mutex_lock+0x75/0xc0 [ 472.096136] ? mutex_lock+0x88/0xc0 [ 472.096136] ? mutex_lock+0x75/0xc0 [ 472.096136] l2cap_chan_timeo ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20240926-0001/
Impacted products
Vendor Product Version
Linux Linux Version: 3.4
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-27399",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-13T20:21:44.727650Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-05T17:22:50.323Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-09-26T15:03:06.207Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20240926-0001/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/l2cap_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e137e2ba96e51902dc2878131823a96bf8e638ae",
              "status": "affected",
              "version": "3df91ea20e744344100b10ae69a17211fcf5b207",
              "versionType": "git"
            },
            {
              "lessThan": "6466ee65e5b27161c846c73ef407f49dfa1bd1d9",
              "status": "affected",
              "version": "3df91ea20e744344100b10ae69a17211fcf5b207",
              "versionType": "git"
            },
            {
              "lessThan": "06acb75e7ed600d0bbf7bff5628aa8f24a97978c",
              "status": "affected",
              "version": "3df91ea20e744344100b10ae69a17211fcf5b207",
              "versionType": "git"
            },
            {
              "lessThan": "e97e16433eb4533083b096a3824b93a5ca3aee79",
              "status": "affected",
              "version": "3df91ea20e744344100b10ae69a17211fcf5b207",
              "versionType": "git"
            },
            {
              "lessThan": "8960ff650aec70485b40771cd8e6e8c4cb467d33",
              "status": "affected",
              "version": "3df91ea20e744344100b10ae69a17211fcf5b207",
              "versionType": "git"
            },
            {
              "lessThan": "955b5b6c54d95b5e7444dfc81c95c8e013f27ac0",
              "status": "affected",
              "version": "3df91ea20e744344100b10ae69a17211fcf5b207",
              "versionType": "git"
            },
            {
              "lessThan": "eb86f955488c39526534211f2610e48a5cf8ead4",
              "status": "affected",
              "version": "3df91ea20e744344100b10ae69a17211fcf5b207",
              "versionType": "git"
            },
            {
              "lessThan": "adf0398cee86643b8eacde95f17d073d022f782c",
              "status": "affected",
              "version": "3df91ea20e744344100b10ae69a17211fcf5b207",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/l2cap_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.4"
            },
            {
              "lessThan": "3.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.314",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.276",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.217",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout\n\nThere is a race condition between l2cap_chan_timeout() and\nl2cap_chan_del(). When we use l2cap_chan_del() to delete the\nchannel, the chan-\u003econn will be set to null. But the conn could\nbe dereferenced again in the mutex_lock() of l2cap_chan_timeout().\nAs a result the null pointer dereference bug will happen. The\nKASAN report triggered by POC is shown below:\n\n[  472.074580] ==================================================================\n[  472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0\n[  472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7\n[  472.075308]\n[  472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36\n[  472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[  472.075308] Workqueue: events l2cap_chan_timeout\n[  472.075308] Call Trace:\n[  472.075308]  \u003cTASK\u003e\n[  472.075308]  dump_stack_lvl+0x137/0x1a0\n[  472.075308]  print_report+0x101/0x250\n[  472.075308]  ? __virt_addr_valid+0x77/0x160\n[  472.075308]  ? mutex_lock+0x68/0xc0\n[  472.075308]  kasan_report+0x139/0x170\n[  472.075308]  ? mutex_lock+0x68/0xc0\n[  472.075308]  kasan_check_range+0x2c3/0x2e0\n[  472.075308]  mutex_lock+0x68/0xc0\n[  472.075308]  l2cap_chan_timeout+0x181/0x300\n[  472.075308]  process_one_work+0x5d2/0xe00\n[  472.075308]  worker_thread+0xe1d/0x1660\n[  472.075308]  ? pr_cont_work+0x5e0/0x5e0\n[  472.075308]  kthread+0x2b7/0x350\n[  472.075308]  ? pr_cont_work+0x5e0/0x5e0\n[  472.075308]  ? kthread_blkcg+0xd0/0xd0\n[  472.075308]  ret_from_fork+0x4d/0x80\n[  472.075308]  ? kthread_blkcg+0xd0/0xd0\n[  472.075308]  ret_from_fork_asm+0x11/0x20\n[  472.075308]  \u003c/TASK\u003e\n[  472.075308] ==================================================================\n[  472.094860] Disabling lock debugging due to kernel taint\n[  472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158\n[  472.096136] #PF: supervisor write access in kernel mode\n[  472.096136] #PF: error_code(0x0002) - not-present page\n[  472.096136] PGD 0 P4D 0\n[  472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI\n[  472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G    B              6.9.0-rc5-00356-g78c0094a146b #36\n[  472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[  472.096136] Workqueue: events l2cap_chan_timeout\n[  472.096136] RIP: 0010:mutex_lock+0x88/0xc0\n[  472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88\n[  472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246\n[  472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865\n[  472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78\n[  472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f\n[  472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000\n[  472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00\n[  472.096136] FS:  0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000\n[  472.096136] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0\n[  472.096136] Call Trace:\n[  472.096136]  \u003cTASK\u003e\n[  472.096136]  ? __die_body+0x8d/0xe0\n[  472.096136]  ? page_fault_oops+0x6b8/0x9a0\n[  472.096136]  ? kernelmode_fixup_or_oops+0x20c/0x2a0\n[  472.096136]  ? do_user_addr_fault+0x1027/0x1340\n[  472.096136]  ? _printk+0x7a/0xa0\n[  472.096136]  ? mutex_lock+0x68/0xc0\n[  472.096136]  ? add_taint+0x42/0xd0\n[  472.096136]  ? exc_page_fault+0x6a/0x1b0\n[  472.096136]  ? asm_exc_page_fault+0x26/0x30\n[  472.096136]  ? mutex_lock+0x75/0xc0\n[  472.096136]  ? mutex_lock+0x88/0xc0\n[  472.096136]  ? mutex_lock+0x75/0xc0\n[  472.096136]  l2cap_chan_timeo\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:54:16.643Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c"
        },
        {
          "url": "https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79"
        },
        {
          "url": "https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33"
        },
        {
          "url": "https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4"
        },
        {
          "url": "https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c"
        }
      ],
      "title": "Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-27399",
    "datePublished": "2024-05-13T10:24:57.045Z",
    "dateReserved": "2024-02-25T13:47:42.681Z",
    "dateUpdated": "2024-12-19T08:54:16.643Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-27399\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-14T15:12:28.977\",\"lastModified\":\"2024-11-21T09:04:32.110\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout\\n\\nThere is a race condition between l2cap_chan_timeout() and\\nl2cap_chan_del(). When we use l2cap_chan_del() to delete the\\nchannel, the chan-\u003econn will be set to null. But the conn could\\nbe dereferenced again in the mutex_lock() of l2cap_chan_timeout().\\nAs a result the null pointer dereference bug will happen. The\\nKASAN report triggered by POC is shown below:\\n\\n[  472.074580] ==================================================================\\n[  472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0\\n[  472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7\\n[  472.075308]\\n[  472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36\\n[  472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\\n[  472.075308] Workqueue: events l2cap_chan_timeout\\n[  472.075308] Call Trace:\\n[  472.075308]  \u003cTASK\u003e\\n[  472.075308]  dump_stack_lvl+0x137/0x1a0\\n[  472.075308]  print_report+0x101/0x250\\n[  472.075308]  ? __virt_addr_valid+0x77/0x160\\n[  472.075308]  ? mutex_lock+0x68/0xc0\\n[  472.075308]  kasan_report+0x139/0x170\\n[  472.075308]  ? mutex_lock+0x68/0xc0\\n[  472.075308]  kasan_check_range+0x2c3/0x2e0\\n[  472.075308]  mutex_lock+0x68/0xc0\\n[  472.075308]  l2cap_chan_timeout+0x181/0x300\\n[  472.075308]  process_one_work+0x5d2/0xe00\\n[  472.075308]  worker_thread+0xe1d/0x1660\\n[  472.075308]  ? pr_cont_work+0x5e0/0x5e0\\n[  472.075308]  kthread+0x2b7/0x350\\n[  472.075308]  ? pr_cont_work+0x5e0/0x5e0\\n[  472.075308]  ? kthread_blkcg+0xd0/0xd0\\n[  472.075308]  ret_from_fork+0x4d/0x80\\n[  472.075308]  ? kthread_blkcg+0xd0/0xd0\\n[  472.075308]  ret_from_fork_asm+0x11/0x20\\n[  472.075308]  \u003c/TASK\u003e\\n[  472.075308] ==================================================================\\n[  472.094860] Disabling lock debugging due to kernel taint\\n[  472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158\\n[  472.096136] #PF: supervisor write access in kernel mode\\n[  472.096136] #PF: error_code(0x0002) - not-present page\\n[  472.096136] PGD 0 P4D 0\\n[  472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI\\n[  472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G    B              6.9.0-rc5-00356-g78c0094a146b #36\\n[  472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\\n[  472.096136] Workqueue: events l2cap_chan_timeout\\n[  472.096136] RIP: 0010:mutex_lock+0x88/0xc0\\n[  472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88\\n[  472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246\\n[  472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865\\n[  472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78\\n[  472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f\\n[  472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000\\n[  472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00\\n[  472.096136] FS:  0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000\\n[  472.096136] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[  472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0\\n[  472.096136] Call Trace:\\n[  472.096136]  \u003cTASK\u003e\\n[  472.096136]  ? __die_body+0x8d/0xe0\\n[  472.096136]  ? page_fault_oops+0x6b8/0x9a0\\n[  472.096136]  ? kernelmode_fixup_or_oops+0x20c/0x2a0\\n[  472.096136]  ? do_user_addr_fault+0x1027/0x1340\\n[  472.096136]  ? _printk+0x7a/0xa0\\n[  472.096136]  ? mutex_lock+0x68/0xc0\\n[  472.096136]  ? add_taint+0x42/0xd0\\n[  472.096136]  ? exc_page_fault+0x6a/0x1b0\\n[  472.096136]  ? asm_exc_page_fault+0x26/0x30\\n[  472.096136]  ? mutex_lock+0x75/0xc0\\n[  472.096136]  ? mutex_lock+0x88/0xc0\\n[  472.096136]  ? mutex_lock+0x75/0xc0\\n[  472.096136]  l2cap_chan_timeo\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: l2cap: corrige null-ptr-deref en l2cap_chan_timeout Existe una condici\u00f3n de ejecuci\u00f3n entre l2cap_chan_timeout() y l2cap_chan_del(). Cuando usamos l2cap_chan_del() para eliminar el canal, chan-\u0026gt;conn se establecer\u00e1 en nulo. Pero se podr\u00eda desreferenciar la conexi\u00f3n nuevamente en mutex_lock() de l2cap_chan_timeout(). Como resultado, se producir\u00e1 el error de desreferencia del puntero nulo. El informe KASAN activado por POC se muestra a continuaci\u00f3n: [472.074580] ====================================== ============================= [472.075284] ERROR: KASAN: null-ptr-deref en mutex_lock+0x68/0xc0 [472.075308] Escritura de tama\u00f1o 8 en la direcci\u00f3n 0000000000000158 mediante tarea kworker/0:0/7 [ 472.075308] [ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36 [ 472. 075308 ] Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [ 472.075308] Cola de trabajo: eventos l2cap_chan_timeout [ 472.075308] Seguimiento de llamadas: [ 472.075308]  [ 4 72.075308 ] dump_stack_lvl+0x137/0x1a0 [ 472.075308] print_report+0x101/0x250 [ 472.075308] ? __virt_addr_valid+0x77/0x160 [472.075308] ? mutex_lock+0x68/0xc0 [ 472.075308] kasan_report+0x139/0x170 [ 472.075308] ? mutex_lock+0x68/0xc0 [ 472.075308] kasan_check_range+0x2c3/0x2e0 [ 472.075308] mutex_lock+0x68/0xc0 [ 472.075308] l2cap_chan_timeout+0x181/0x300 [ 472.075308] +0x5d2/0xe00 [ 472.075308] hilo_trabajador+0xe1d/0x1660 [ 472.075308] ? pr_cont_work+0x5e0/0x5e0 [ 472.075308] kthread+0x2b7/0x350 [ 472.075308] ? pr_cont_work+0x5e0/0x5e0 [472.075308]? kthread_blkcg+0xd0/0xd0 [ 472.075308] ret_from_fork+0x4d/0x80 [ 472.075308] ? kthread_blkcg+0xd0/0xd0 [ 472.075308] ret_from_fork_asm+0x11/0x20 [ 472.075308]  [ 472.075308] ============================ ======================================= [ 472.094860] Deshabilitar la depuraci\u00f3n de bloqueo debido a la corrupci\u00f3n del kernel [ 472.096136] ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 0000000000000158 [ 472.096136] #PF: acceso de escritura del supervisor en modo kernel [ 472.096136] #PF: error_code(0x0002) - p\u00e1gina no presente [ 472.096136] PGD 0 P4D 0 [ 4 72.096136] Ups : 0002 [#1] PREEMPT SMP KASAN NOPTI [ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Contaminado: GB 6.9.0-rc5-00356-g78c0094a146b #36 [ 472.096136] Nombre de hardware: PC est\u00e1ndar QEMU ( i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [ 472.096136] Cola de trabajo: eventos l2cap_chan_timeout [ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0 [ 472.09613 6] C\u00f3digo: ser 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88 [ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246 [ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865 [ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78 [ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7 f R09: 1ffff11000e89f8f [ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000 [ 472.096136] R13: 0000000000000158 : ffff88800744fc78 R15: ffff888007405a00 [ 472.096136 ] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000 [ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 00000000800500 33 [ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0 [ 472.096136] Seguimiento de llamadas: [ 472.096136]  [ 472.096136] ? __die_body+0x8d/0xe0 [ 472.096136] ? page_fault_oops+0x6b8/0x9a0 [472.096136]? kernelmode_fixup_or_oops+0x20c/0x2a0 [472.096136]? do_user_addr_fault+0x1027/0x1340 [472.096136]? _printk+0x7a/0xa0 [ 472.096136] ? mutex_lock+0x68/0xc0 [472.096136]? add_taint+0x42/0xd0 [472.096136]? exc_page_fault+0x6a/0x1b0 [472.096136]? asm_exc_page_fault+0x26/0x30 [472.096136]? mutex_lock+0x75/0xc0 [472.096136]? mutex_lock+0x88/0xc0 [472.096136]? mutex_lock+0x75/0xc0 [472.096136] l2cap_chan_timeo ---truncado---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240926-0001/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.