| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091852-CVE-2022-50386-07d7@gregkh> Date: Thu, 18 Sep 2025 15:34:00 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2022-50386: Bluetooth: L2CAP: Fix user-after-free From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix user-after-free This uses l2cap_chan_hold_unless_zero() after calling __l2cap_get_chan_blah() to prevent the following trace: Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref *kref) Bluetooth: chan 0000000023c4974d Bluetooth: parent 00000000ae861c08 ================================================================== BUG: KASAN: use-after-free in __mutex_waiter_is_first kernel/locking/mutex.c:191 [inline] BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:671 [inline] BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400 kernel/locking/mutex.c:729 Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389 The Linux kernel CVE team has assigned CVE-2022-50386 to this issue. Affected and fixed versions =========================== Fixed in 4.9.331 with commit 11e40d6c0823f699d8ad501e48d1c3ae4be386cd Fixed in 4.14.296 with commit 843fc4e386dd84b806a7f07fb062d8c3a44e5364 Fixed in 4.19.262 with commit d91fc2836562f299f34e361e089e9fe154da4f73 Fixed in 5.4.220 with commit 7d6f9cb24d2b2f6b6370eac074e2e6b1bafdad45 Fixed in 5.10.150 with commit 0c108cf3ad386e0084277093b55a351c49e0be27 Fixed in 5.15.75 with commit d1e894f950ad48897d1a7cb05909ea29d8c3810e Fixed in 5.19.17 with commit 6ffde6e03085874ae22263ff4cef4869f797e84f Fixed in 6.0.3 with commit 15fc21695eb606bdc5d483b92118ee42610a952d Fixed in 6.1 with commit 35fcbc4243aad7e7d020b7c1dfb14bb888b20a4f Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-50386 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/bluetooth/l2cap_core.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/11e40d6c0823f699d8ad501e48d1c3ae4be386cd https://git.kernel.org/stable/c/843fc4e386dd84b806a7f07fb062d8c3a44e5364 https://git.kernel.org/stable/c/d91fc2836562f299f34e361e089e9fe154da4f73 https://git.kernel.org/stable/c/7d6f9cb24d2b2f6b6370eac074e2e6b1bafdad45 https://git.kernel.org/stable/c/0c108cf3ad386e0084277093b55a351c49e0be27 https://git.kernel.org/stable/c/d1e894f950ad48897d1a7cb05909ea29d8c3810e https://git.kernel.org/stable/c/6ffde6e03085874ae22263ff4cef4869f797e84f https://git.kernel.org/stable/c/15fc21695eb606bdc5d483b92118ee42610a952d https://git.kernel.org/stable/c/35fcbc4243aad7e7d020b7c1dfb14bb888b20a4f
Powered by blists - more mailing lists