| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024052108-CVE-2023-52830-529a@gregkh>
Date: Tue, 21 May 2024 17:32:06 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2023-52830: Bluetooth: Fix double free in hci_conn_cleanup
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix double free in hci_conn_cleanup
syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
After releasing an object using hci_conn_del_sysfs in the
hci_conn_cleanup function, releasing the same object again
using the hci_dev_put and hci_conn_put functions causes a double free.
Here's a simplified flow:
hci_conn_del_sysfs:
hci_dev_put
put_device
kobject_put
kref_put
kobject_release
kobject_cleanup
kfree_const
kfree(name)
hci_dev_put:
...
kfree(name)
hci_conn_put:
put_device
...
kfree(name)
This patch drop the hci_dev_put and hci_conn_put function
call in hci_conn_cleanup function, because the object is
freed in hci_conn_del_sysfs function.
This patch also fixes the refcounting in hci_conn_add_sysfs() and
hci_conn_del_sysfs() to take into account device_add() failures.
This fixes CVE-2023-28464.
The Linux kernel CVE team has assigned CVE-2023-52830 to this issue.
Affected and fixed versions
===========================
Fixed in 4.19.300 with commit 5c53afc766e0
Fixed in 5.4.262 with commit 3c4236f1b2a7
Fixed in 5.10.202 with commit 53d61daf35b1
Fixed in 5.15.140 with commit ba7088769800
Fixed in 6.1.64 with commit 87624b1f9b78
Fixed in 6.5.13 with commit fc666d1b4751
Fixed in 6.6.3 with commit 56a4fdde95ed
Fixed in 6.7 with commit a85fb91e3d72
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2023-52830
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/bluetooth/hci_conn.c
net/bluetooth/hci_sysfs.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/5c53afc766e07098429520b7677eaa164b593451
https://git.kernel.org/stable/c/3c4236f1b2a715e878a06599fa8b0cc21f165d28
https://git.kernel.org/stable/c/53d61daf35b1bbf3ae06e852ee107aa2f05b3776
https://git.kernel.org/stable/c/ba7088769800d9892a7e4f35c3137a5b3e65410b
https://git.kernel.org/stable/c/87624b1f9b781549e69f92db7ede012a21cec275
https://git.kernel.org/stable/c/fc666d1b47518a18519241cae213de1babd4a4ba
https://git.kernel.org/stable/c/56a4fdde95ed98d864611155f6728983e199e198
https://git.kernel.org/stable/c/a85fb91e3d728bdfc80833167e8162cce8bc7004
Powered by blists - more mailing lists