ghsa-3cpr-9mc9-3vfm
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix double free in hci_conn_cleanup
syzbot reports a slab use-after-free in hci_conn_hash_flush [1]. After releasing an object using hci_conn_del_sysfs in the hci_conn_cleanup function, releasing the same object again using the hci_dev_put and hci_conn_put functions causes a double free. Here's a simplified flow:
hci_conn_del_sysfs: hci_dev_put put_device kobject_put kref_put kobject_release kobject_cleanup kfree_const kfree(name)
hci_dev_put: ... kfree(name)
hci_conn_put: put_device ... kfree(name)
This patch drop the hci_dev_put and hci_conn_put function call in hci_conn_cleanup function, because the object is freed in hci_conn_del_sysfs function.
This patch also fixes the refcounting in hci_conn_add_sysfs() and hci_conn_del_sysfs() to take into account device_add() failures.
This fixes CVE-2023-28464.
{ affected: [], aliases: [ "CVE-2023-52830", ], database_specific: { cwe_ids: [], github_reviewed: false, github_reviewed_at: null, nvd_published_at: "2024-05-21T16:15:20Z", severity: null, }, details: "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix double free in hci_conn_cleanup\n\nsyzbot reports a slab use-after-free in hci_conn_hash_flush [1].\nAfter releasing an object using hci_conn_del_sysfs in the\nhci_conn_cleanup function, releasing the same object again\nusing the hci_dev_put and hci_conn_put functions causes a double free.\nHere's a simplified flow:\n\nhci_conn_del_sysfs:\n hci_dev_put\n put_device\n kobject_put\n kref_put\n kobject_release\n kobject_cleanup\n kfree_const\n kfree(name)\n\nhci_dev_put:\n ...\n kfree(name)\n\nhci_conn_put:\n put_device\n ...\n kfree(name)\n\nThis patch drop the hci_dev_put and hci_conn_put function\ncall in hci_conn_cleanup function, because the object is\nfreed in hci_conn_del_sysfs function.\n\nThis patch also fixes the refcounting in hci_conn_add_sysfs() and\nhci_conn_del_sysfs() to take into account device_add() failures.\n\nThis fixes CVE-2023-28464.", id: "GHSA-3cpr-9mc9-3vfm", modified: "2024-05-21T18:31:22Z", published: "2024-05-21T18:31:22Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-52830", }, { type: "WEB", url: "https://git.kernel.org/stable/c/3c4236f1b2a715e878a06599fa8b0cc21f165d28", }, { type: "WEB", url: "https://git.kernel.org/stable/c/53d61daf35b1bbf3ae06e852ee107aa2f05b3776", }, { type: "WEB", url: "https://git.kernel.org/stable/c/56a4fdde95ed98d864611155f6728983e199e198", }, { type: "WEB", url: "https://git.kernel.org/stable/c/5c53afc766e07098429520b7677eaa164b593451", }, { type: "WEB", url: "https://git.kernel.org/stable/c/87624b1f9b781549e69f92db7ede012a21cec275", }, { type: "WEB", url: "https://git.kernel.org/stable/c/a85fb91e3d728bdfc80833167e8162cce8bc7004", }, { type: "WEB", url: "https://git.kernel.org/stable/c/ba7088769800d9892a7e4f35c3137a5b3e65410b", }, { type: "WEB", url: "https://git.kernel.org/stable/c/fc666d1b47518a18519241cae213de1babd4a4ba", }, ], schema_version: "1.4.0", severity: [], }
Log in or create an account to share your comment.
This schema specifies the format of a comment related to a security advisory.
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.