Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-28464: [PATCH] Bluetooth: Fix double free in hci_conn_cleanup

hci_conn_cleanup in net/bluetooth/hci_conn.c in the Linux kernel through 6.2.9 has a use-after-free (observed in hci_conn_hash_flush) because of calls to hci_dev_put and hci_conn_put. There is a double free that may lead to privilege escalation.

CVE
#linux#git

From: ZhengHan Wang [email protected] To: [email protected], [email protected], [email protected] Cc: [email protected], [email protected], [email protected], ZhengHan Wang [email protected] Subject: [PATCH] Bluetooth: Fix double free in hci_conn_cleanup Date: Thu, 9 Mar 2023 15:46:45 +0800 [thread overview] Message-ID: [email protected] (raw)

syzbot reports a slab use-after-free in hci_conn_hash_flush [1]. After releasing an object using hci_conn_del_sysfs in the hci_conn_cleanup function, releasing the same object again using the hci_dev_put and hci_conn_put functions causes a double free. Here’s a simplified flow:

hci_conn_del_sysfs: hci_dev_put put_device kobject_put kref_put kobject_release kobject_cleanup kfree_const kfree(name)

hci_dev_put: … kfree(name)

hci_conn_put: put_device … kfree(name)

This patch drop the hci_dev_put and hci_conn_put function call in hci_conn_cleanup function, because the object is freed in hci_conn_del_sysfs function.

Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]

Signed-off-by: ZhengHan Wang [email protected]

net/bluetooth/hci_conn.c | 4 ---- 1 file changed, 4 deletions(-)

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index acf563fbdfd9…a0ccbef34bc2 100644 — a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -152,10 +152,6 @@ static void hci_conn_cleanup(struct hci_conn *conn) hci_conn_del_sysfs(conn);

debugfs\_remove\_recursive(conn->debugfs);

-

  • hci_dev_put(hdev);
  • hci_conn_put(conn); }

static void le_scan_cleanup(struct work_struct *work)

2.25.1

             reply  other threads:\[~2023-03-09  7:49 UTC|newest\]

Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email using any one of the following methods:

* Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox

Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the –to, –cc, and –in-reply-to switches of git-send-email(1):

git send-email \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ /path/to/YOUR_REPLY

https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).

Related news

Red Hat Security Advisory 2024-2394-03

Red Hat Security Advisory 2024-2394-03 - An update for kernel is now available for Red Hat Enterprise Linux 9. Issues addressed include code execution, double free, integer overflow, memory exhaustion, memory leak, null pointer, out of bounds access, out of bounds read, out of bounds write, privilege escalation, and use-after-free vulnerabilities.

CVE-2023-32463: DSA-2023-200: Security Update for Dell VxRail for Multiple Third-Party Component Vulnerabilities

Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907