cve/published/2024/CVE-2024-27398.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-27398: Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout

 When the sco connection is established and then, the sco socket
 is releasing, timeout_work will be scheduled to judge whether
 the sco disconnection is timeout. The sock will be deallocated
 later, but it is dereferenced again in sco_sock_timeout. As a
 result, the use-after-free bugs will happen. The root cause is
 shown below:

     Cleanup Thread               |      Worker Thread
 sco_sock_release                 |
   sco_sock_close                 |
     __sco_sock_close             |
       sco_sock_set_timer         |
         schedule_delayed_work    |
   sco_sock_kill                  |    (wait a time)
     sock_put(sk) //FREE          |  sco_sock_timeout
                                  |    sock_hold(sk) //USE

 The KASAN report triggered by POC is shown below:

 [   95.890016] ==================================================================
 [   95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0
 [   95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7
 ...
 [   95.890755] Workqueue: events sco_sock_timeout
 [   95.890755] Call Trace:
 [   95.890755]  <TASK>
 [   95.890755]  dump_stack_lvl+0x45/0x110
 [   95.890755]  print_address_description+0x78/0x390
 [   95.890755]  print_report+0x11b/0x250
 [   95.890755]  ? __virt_addr_valid+0xbe/0xf0
 [   95.890755]  ? sco_sock_timeout+0x5e/0x1c0
 [   95.890755]  kasan_report+0x139/0x170
 [   95.890755]  ? update_load_avg+0xe5/0x9f0
 [   95.890755]  ? sco_sock_timeout+0x5e/0x1c0
 [   95.890755]  kasan_check_range+0x2c3/0x2e0
 [   95.890755]  sco_sock_timeout+0x5e/0x1c0
 [   95.890755]  process_one_work+0x561/0xc50
 [   95.890755]  worker_thread+0xab2/0x13c0
 [   95.890755]  ? pr_cont_work+0x490/0x490
 [   95.890755]  kthread+0x279/0x300
 [   95.890755]  ? pr_cont_work+0x490/0x490
 [   95.890755]  ? kthread_blkcg+0xa0/0xa0
 [   95.890755]  ret_from_fork+0x34/0x60
 [   95.890755]  ? kthread_blkcg+0xa0/0xa0
 [   95.890755]  ret_from_fork_asm+0x11/0x20
 [   95.890755]  </TASK>
 [   95.890755]
 [   95.890755] Allocated by task 506:
 [   95.890755]  kasan_save_track+0x3f/0x70
 [   95.890755]  __kasan_kmalloc+0x86/0x90
 [   95.890755]  __kmalloc+0x17f/0x360
 [   95.890755]  sk_prot_alloc+0xe1/0x1a0
 [   95.890755]  sk_alloc+0x31/0x4e0
 [   95.890755]  bt_sock_alloc+0x2b/0x2a0
 [   95.890755]  sco_sock_create+0xad/0x320
 [   95.890755]  bt_sock_create+0x145/0x320
 [   95.890755]  __sock_create+0x2e1/0x650
 [   95.890755]  __sys_socket+0xd0/0x280
 [   95.890755]  __x64_sys_socket+0x75/0x80
 [   95.890755]  do_syscall_64+0xc4/0x1b0
 [   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f
 [   95.890755]
 [   95.890755] Freed by task 506:
 [   95.890755]  kasan_save_track+0x3f/0x70
 [   95.890755]  kasan_save_free_info+0x40/0x50
 [   95.890755]  poison_slab_object+0x118/0x180
 [   95.890755]  __kasan_slab_free+0x12/0x30
 [   95.890755]  kfree+0xb2/0x240
 [   95.890755]  __sk_destruct+0x317/0x410
 [   95.890755]  sco_sock_release+0x232/0x280
 [   95.890755]  sock_close+0xb2/0x210
 [   95.890755]  __fput+0x37f/0x770
 [   95.890755]  task_work_run+0x1ae/0x210
 [   95.890755]  get_signal+0xe17/0xf70
 [   95.890755]  arch_do_signal_or_restart+0x3f/0x520
 [   95.890755]  syscall_exit_to_user_mode+0x55/0x120
 [   95.890755]  do_syscall_64+0xd1/0x1b0
 [   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f
 [   95.890755]
 [   95.890755] The buggy address belongs to the object at ffff88800c388000
 [   95.890755]  which belongs to the cache kmalloc-1k of size 1024
 [   95.890755] The buggy address is located 128 bytes inside of
 [   95.890755]  freed 1024-byte region [ffff88800c388000, ffff88800c388400)
 [   95.890755]
 [   95.890755] The buggy address belongs to the physical page:
 [   95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388
 [   95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
 [   95.890755] anon flags: 0x100000000000840(slab|head|node=0|zone=1)
 [   95.890755] page_type: 0xffffffff()
 [   95.890755] raw: 0100000000000840 ffff888006842dc0 0000000000000000 0000000000000001
 [   95.890755] raw: ffff88800c38a800 000000000010000a 00000001ffffffff 0000000000000000
 [   95.890755] head: 0100000000000840 ffff888006842dc0 0000000000000000 0000000000000001
 [   95.890755] head: ffff88800c38a800 000000000010000a 00000001ffffffff 0000000000000000
 [   95.890755] head: 0100000000000003 ffffea000030e201 ffffea000030e248 00000000ffffffff
 [   95.890755] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
 [   95.890755] page dumped because: kasan: bad access detected
 [   95.890755]
 [   95.890755] Memory state around the buggy address:
 [   95.890755]  ffff88800c387f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 [   95.890755]  ffff88800c388000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 [   95.890755] >ffff88800c388080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 [   95.890755]                    ^
 [   95.890755]  ffff88800c388100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 [   95.890755]  ffff88800c388180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 [   95.890755] ==================================================================

 Fix this problem by adding a check protected by sco_conn_lock to judget
 whether the conn->hcon is null. Because the conn->hcon will be set to null,
 when the sock is releasing.

 The Linux kernel CVE team has assigned CVE-2024-27398 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.19.207 with commit 48669c81a65628ef234cbdd91b9395952c7c27fe and fixed in 4.19.314 with commit 1b33d55fb7355e27f8c82cd4ecd560f162469249
 	Issue introduced in 5.4.148 with commit 37d7ae2b0578f2373674a755402ee722e96edc08 and fixed in 5.4.276 with commit 3212afd00e3cda790fd0583cb3eaef8f9575a014
 	Issue introduced in 5.10.67 with commit a1073aad497d0d071a71f61b721966a176d50c08 and fixed in 5.10.217 with commit 33a6e92161a78c1073d90e27abe28d746feb0a53
 	Issue introduced in 5.15 with commit ba316be1b6a00db7126ed9a39f9bee434a508043 and fixed in 5.15.159 with commit 6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5
 	Issue introduced in 5.15 with commit ba316be1b6a00db7126ed9a39f9bee434a508043 and fixed in 6.1.91 with commit bfab2c1f7940a232cd519e82fff137e308abfd93
 	Issue introduced in 5.15 with commit ba316be1b6a00db7126ed9a39f9bee434a508043 and fixed in 6.6.31 with commit 012363cb1bec5f33a7b94629ab2c1086f30280f2
 	Issue introduced in 5.15 with commit ba316be1b6a00db7126ed9a39f9bee434a508043 and fixed in 6.8.10 with commit 50c2037fc28df870ef29d9728c770c8955d32178
 	Issue introduced in 5.15 with commit ba316be1b6a00db7126ed9a39f9bee434a508043 and fixed in 6.9 with commit 483bc08181827fc475643272ffb69c533007e546
 	Issue introduced in 4.14.263 with commit fea63ccd928c01573306983346588b26cffb5572
 	Issue introduced in 5.13.19 with commit ec1f74319bb35c1c90c25014ec0f6ea6c3ca2134
 	Issue introduced in 5.14.6 with commit b657bba82ff6a007d84fd076bd73b11131726a2b

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-27398
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/bluetooth/sco.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/1b33d55fb7355e27f8c82cd4ecd560f162469249
 	https://git.kernel.org/stable/c/3212afd00e3cda790fd0583cb3eaef8f9575a014
 	https://git.kernel.org/stable/c/33a6e92161a78c1073d90e27abe28d746feb0a53
 	https://git.kernel.org/stable/c/6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5
 	https://git.kernel.org/stable/c/bfab2c1f7940a232cd519e82fff137e308abfd93
 	https://git.kernel.org/stable/c/012363cb1bec5f33a7b94629ab2c1086f30280f2
 	https://git.kernel.org/stable/c/50c2037fc28df870ef29d9728c770c8955d32178
 	https://git.kernel.org/stable/c/483bc08181827fc475643272ffb69c533007e546
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-27398: Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout

	When the sco connection is established and then, the sco socket
	is releasing, timeout_work will be scheduled to judge whether
	the sco disconnection is timeout. The sock will be deallocated
	later, but it is dereferenced again in sco_sock_timeout. As a
	result, the use-after-free bugs will happen. The root cause is
	shown below:

	Cleanup Thread \| Worker Thread
	sco_sock_release \|
	sco_sock_close \|
	__sco_sock_close \|
	sco_sock_set_timer \|
	schedule_delayed_work \|
	sco_sock_kill \| (wait a time)
	sock_put(sk) //FREE \| sco_sock_timeout
	\| sock_hold(sk) //USE

	The KASAN report triggered by POC is shown below:

	[ 95.890016] ==================================================================
	[ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0
	[ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7
	...
	[ 95.890755] Workqueue: events sco_sock_timeout
	[ 95.890755] Call Trace:
	[ 95.890755] <TASK>
	[ 95.890755] dump_stack_lvl+0x45/0x110
	[ 95.890755] print_address_description+0x78/0x390
	[ 95.890755] print_report+0x11b/0x250
	[ 95.890755] ? __virt_addr_valid+0xbe/0xf0
	[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0
	[ 95.890755] kasan_report+0x139/0x170
	[ 95.890755] ? update_load_avg+0xe5/0x9f0
	[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0
	[ 95.890755] kasan_check_range+0x2c3/0x2e0
	[ 95.890755] sco_sock_timeout+0x5e/0x1c0
	[ 95.890755] process_one_work+0x561/0xc50
	[ 95.890755] worker_thread+0xab2/0x13c0
	[ 95.890755] ? pr_cont_work+0x490/0x490
	[ 95.890755] kthread+0x279/0x300
	[ 95.890755] ? pr_cont_work+0x490/0x490
	[ 95.890755] ? kthread_blkcg+0xa0/0xa0
	[ 95.890755] ret_from_fork+0x34/0x60
	[ 95.890755] ? kthread_blkcg+0xa0/0xa0
	[ 95.890755] ret_from_fork_asm+0x11/0x20
	[ 95.890755] </TASK>
	[ 95.890755]
	[ 95.890755] Allocated by task 506:
	[ 95.890755] kasan_save_track+0x3f/0x70
	[ 95.890755] __kasan_kmalloc+0x86/0x90
	[ 95.890755] __kmalloc+0x17f/0x360
	[ 95.890755] sk_prot_alloc+0xe1/0x1a0
	[ 95.890755] sk_alloc+0x31/0x4e0
	[ 95.890755] bt_sock_alloc+0x2b/0x2a0
	[ 95.890755] sco_sock_create+0xad/0x320
	[ 95.890755] bt_sock_create+0x145/0x320
	[ 95.890755] __sock_create+0x2e1/0x650
	[ 95.890755] __sys_socket+0xd0/0x280
	[ 95.890755] __x64_sys_socket+0x75/0x80
	[ 95.890755] do_syscall_64+0xc4/0x1b0
	[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f
	[ 95.890755]
	[ 95.890755] Freed by task 506:
	[ 95.890755] kasan_save_track+0x3f/0x70
	[ 95.890755] kasan_save_free_info+0x40/0x50
	[ 95.890755] poison_slab_object+0x118/0x180
	[ 95.890755] __kasan_slab_free+0x12/0x30
	[ 95.890755] kfree+0xb2/0x240
	[ 95.890755] __sk_destruct+0x317/0x410
	[ 95.890755] sco_sock_release+0x232/0x280
	[ 95.890755] sock_close+0xb2/0x210
	[ 95.890755] __fput+0x37f/0x770
	[ 95.890755] task_work_run+0x1ae/0x210
	[ 95.890755] get_signal+0xe17/0xf70
	[ 95.890755] arch_do_signal_or_restart+0x3f/0x520
	[ 95.890755] syscall_exit_to_user_mode+0x55/0x120
	[ 95.890755] do_syscall_64+0xd1/0x1b0
	[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f
	[ 95.890755]
	[ 95.890755] The buggy address belongs to the object at ffff88800c388000
	[ 95.890755] which belongs to the cache kmalloc-1k of size 1024
	[ 95.890755] The buggy address is located 128 bytes inside of
	[ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400)
	[ 95.890755]
	[ 95.890755] The buggy address belongs to the physical page:
	[ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388
	[ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
	[ 95.890755] anon flags: 0x100000000000840(slab\|head\|node=0\|zone=1)
	[ 95.890755] page_type: 0xffffffff()
	[ 95.890755] raw: 0100000000000840 ffff888006842dc0 0000000000000000 0000000000000001
	[ 95.890755] raw: ffff88800c38a800 000000000010000a 00000001ffffffff 0000000000000000
	[ 95.890755] head: 0100000000000840 ffff888006842dc0 0000000000000000 0000000000000001
	[ 95.890755] head: ffff88800c38a800 000000000010000a 00000001ffffffff 0000000000000000
	[ 95.890755] head: 0100000000000003 ffffea000030e201 ffffea000030e248 00000000ffffffff
	[ 95.890755] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
	[ 95.890755] page dumped because: kasan: bad access detected
	[ 95.890755]
	[ 95.890755] Memory state around the buggy address:
	[ 95.890755] ffff88800c387f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	[ 95.890755] ffff88800c388000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	[ 95.890755] >ffff88800c388080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	[ 95.890755] ^
	[ 95.890755] ffff88800c388100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	[ 95.890755] ffff88800c388180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	[ 95.890755] ==================================================================

	Fix this problem by adding a check protected by sco_conn_lock to judget
	whether the conn->hcon is null. Because the conn->hcon will be set to null,
	when the sock is releasing.

	The Linux kernel CVE team has assigned CVE-2024-27398 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.19.207 with commit 48669c81a65628ef234cbdd91b9395952c7c27fe and fixed in 4.19.314 with commit 1b33d55fb7355e27f8c82cd4ecd560f162469249
	Issue introduced in 5.4.148 with commit 37d7ae2b0578f2373674a755402ee722e96edc08 and fixed in 5.4.276 with commit 3212afd00e3cda790fd0583cb3eaef8f9575a014
	Issue introduced in 5.10.67 with commit a1073aad497d0d071a71f61b721966a176d50c08 and fixed in 5.10.217 with commit 33a6e92161a78c1073d90e27abe28d746feb0a53
	Issue introduced in 5.15 with commit ba316be1b6a00db7126ed9a39f9bee434a508043 and fixed in 5.15.159 with commit 6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5
	Issue introduced in 5.15 with commit ba316be1b6a00db7126ed9a39f9bee434a508043 and fixed in 6.1.91 with commit bfab2c1f7940a232cd519e82fff137e308abfd93
	Issue introduced in 5.15 with commit ba316be1b6a00db7126ed9a39f9bee434a508043 and fixed in 6.6.31 with commit 012363cb1bec5f33a7b94629ab2c1086f30280f2
	Issue introduced in 5.15 with commit ba316be1b6a00db7126ed9a39f9bee434a508043 and fixed in 6.8.10 with commit 50c2037fc28df870ef29d9728c770c8955d32178
	Issue introduced in 5.15 with commit ba316be1b6a00db7126ed9a39f9bee434a508043 and fixed in 6.9 with commit 483bc08181827fc475643272ffb69c533007e546
	Issue introduced in 4.14.263 with commit fea63ccd928c01573306983346588b26cffb5572
	Issue introduced in 5.13.19 with commit ec1f74319bb35c1c90c25014ec0f6ea6c3ca2134
	Issue introduced in 5.14.6 with commit b657bba82ff6a007d84fd076bd73b11131726a2b

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-27398
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/bluetooth/sco.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/1b33d55fb7355e27f8c82cd4ecd560f162469249
	https://git.kernel.org/stable/c/3212afd00e3cda790fd0583cb3eaef8f9575a014
	https://git.kernel.org/stable/c/33a6e92161a78c1073d90e27abe28d746feb0a53
	https://git.kernel.org/stable/c/6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5
	https://git.kernel.org/stable/c/bfab2c1f7940a232cd519e82fff137e308abfd93
	https://git.kernel.org/stable/c/012363cb1bec5f33a7b94629ab2c1086f30280f2
	https://git.kernel.org/stable/c/50c2037fc28df870ef29d9728c770c8955d32178
	https://git.kernel.org/stable/c/483bc08181827fc475643272ffb69c533007e546