CVE-2024-27398

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-27398
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-27398.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-27398
Related
Published
2024-05-14T15:12:28Z
Modified
2024-11-05T11:50:04.475688Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Fix use-after-free bugs caused by scosocktimeout

When the sco connection is established and then, the sco socket is releasing, timeoutwork will be scheduled to judge whether the sco disconnection is timeout. The sock will be deallocated later, but it is dereferenced again in scosock_timeout. As a result, the use-after-free bugs will happen. The root cause is shown below:

Cleanup Thread               |      Worker Thread

scosockrelease | scosockclose | _scosockclose | scosocksettimer | scheduledelayedwork | scosockkill | (wait a time) sockput(sk) //FREE | scosocktimeout | sockhold(sk) //USE

The KASAN report triggered by POC is shown below:

[ 95.890016] ================================================================== [ 95.890496] BUG: KASAN: slab-use-after-free in scosocktimeout+0x5e/0x1c0 [ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7 ... [ 95.890755] Workqueue: events scosocktimeout [ 95.890755] Call Trace: [ 95.890755] <TASK> [ 95.890755] dumpstacklvl+0x45/0x110 [ 95.890755] printaddressdescription+0x78/0x390 [ 95.890755] printreport+0x11b/0x250 [ 95.890755] ? _virtaddrvalid+0xbe/0xf0 [ 95.890755] ? scosocktimeout+0x5e/0x1c0 [ 95.890755] kasanreport+0x139/0x170 [ 95.890755] ? updateloadavg+0xe5/0x9f0 [ 95.890755] ? scosocktimeout+0x5e/0x1c0 [ 95.890755] kasancheckrange+0x2c3/0x2e0 [ 95.890755] scosocktimeout+0x5e/0x1c0 [ 95.890755] processonework+0x561/0xc50 [ 95.890755] workerthread+0xab2/0x13c0 [ 95.890755] ? prcontwork+0x490/0x490 [ 95.890755] kthread+0x279/0x300 [ 95.890755] ? prcontwork+0x490/0x490 [ 95.890755] ? kthreadblkcg+0xa0/0xa0 [ 95.890755] retfromfork+0x34/0x60 [ 95.890755] ? kthreadblkcg+0xa0/0xa0 [ 95.890755] retfromforkasm+0x11/0x20 [ 95.890755] </TASK> [ 95.890755] [ 95.890755] Allocated by task 506: [ 95.890755] kasansavetrack+0x3f/0x70 [ 95.890755] _kasankmalloc+0x86/0x90 [ 95.890755] _kmalloc+0x17f/0x360 [ 95.890755] skprotalloc+0xe1/0x1a0 [ 95.890755] skalloc+0x31/0x4e0 [ 95.890755] btsockalloc+0x2b/0x2a0 [ 95.890755] scosockcreate+0xad/0x320 [ 95.890755] btsockcreate+0x145/0x320 [ 95.890755] _sockcreate+0x2e1/0x650 [ 95.890755] _syssocket+0xd0/0x280 [ 95.890755] _x64syssocket+0x75/0x80 [ 95.890755] dosyscall64+0xc4/0x1b0 [ 95.890755] entrySYSCALL64afterhwframe+0x67/0x6f [ 95.890755] [ 95.890755] Freed by task 506: [ 95.890755] kasansavetrack+0x3f/0x70 [ 95.890755] kasansavefreeinfo+0x40/0x50 [ 95.890755] poisonslabobject+0x118/0x180 [ 95.890755] _kasanslabfree+0x12/0x30 [ 95.890755] kfree+0xb2/0x240 [ 95.890755] _skdestruct+0x317/0x410 [ 95.890755] scosockrelease+0x232/0x280 [ 95.890755] sockclose+0xb2/0x210 [ 95.890755] _fput+0x37f/0x770 [ 95.890755] taskworkrun+0x1ae/0x210 [ 95.890755] getsignal+0xe17/0xf70 [ 95.890755] archdosignalorrestart+0x3f/0x520 [ 95.890755] syscallexittousermode+0x55/0x120 [ 95.890755] dosyscall64+0xd1/0x1b0 [ 95.890755] entrySYSCALL64afterhwframe+0x67/0x6f [ 95.890755] [ 95.890755] The buggy address belongs to the object at ffff88800c388000 [ 95.890755] which belongs to the cache kmalloc-1k of size 1024 [ 95.890755] The buggy address is located 128 bytes inside of [ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400) [ 95.890755] [ 95.890755] The buggy address belongs to the physical page: [ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388 [ 95.890755] head: order:3 entiremapcount:0 nrpagesmapped:0 pincount:0 [ 95.890755] ano ---truncated---

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.218-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1
5.10.178-1
5.10.178-2
5.10.178-3
5.10.179-1
5.10.179-2
5.10.179-3
5.10.179-4
5.10.179-5
5.10.191-1
5.10.197-1
5.10.205-1
5.10.205-2
5.10.209-1
5.10.209-2
5.10.216-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.94-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.8.11-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.1.112-1
6.1.115-1
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1
6.7.12-1
6.8.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}