cve/published/2024/CVE-2024-27399.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-27399: Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout

 There is a race condition between l2cap_chan_timeout() and
 l2cap_chan_del(). When we use l2cap_chan_del() to delete the
 channel, the chan->conn will be set to null. But the conn could
 be dereferenced again in the mutex_lock() of l2cap_chan_timeout().
 As a result the null pointer dereference bug will happen. The
 KASAN report triggered by POC is shown below:

 [  472.074580] ==================================================================
 [  472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0
 [  472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7
 [  472.075308]
 [  472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36
 [  472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4
 [  472.075308] Workqueue: events l2cap_chan_timeout
 [  472.075308] Call Trace:
 [  472.075308]  <TASK>
 [  472.075308]  dump_stack_lvl+0x137/0x1a0
 [  472.075308]  print_report+0x101/0x250
 [  472.075308]  ? __virt_addr_valid+0x77/0x160
 [  472.075308]  ? mutex_lock+0x68/0xc0
 [  472.075308]  kasan_report+0x139/0x170
 [  472.075308]  ? mutex_lock+0x68/0xc0
 [  472.075308]  kasan_check_range+0x2c3/0x2e0
 [  472.075308]  mutex_lock+0x68/0xc0
 [  472.075308]  l2cap_chan_timeout+0x181/0x300
 [  472.075308]  process_one_work+0x5d2/0xe00
 [  472.075308]  worker_thread+0xe1d/0x1660
 [  472.075308]  ? pr_cont_work+0x5e0/0x5e0
 [  472.075308]  kthread+0x2b7/0x350
 [  472.075308]  ? pr_cont_work+0x5e0/0x5e0
 [  472.075308]  ? kthread_blkcg+0xd0/0xd0
 [  472.075308]  ret_from_fork+0x4d/0x80
 [  472.075308]  ? kthread_blkcg+0xd0/0xd0
 [  472.075308]  ret_from_fork_asm+0x11/0x20
 [  472.075308]  </TASK>
 [  472.075308] ==================================================================
 [  472.094860] Disabling lock debugging due to kernel taint
 [  472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158
 [  472.096136] #PF: supervisor write access in kernel mode
 [  472.096136] #PF: error_code(0x0002) - not-present page
 [  472.096136] PGD 0 P4D 0
 [  472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI
 [  472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G    B              6.9.0-rc5-00356-g78c0094a146b #36
 [  472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4
 [  472.096136] Workqueue: events l2cap_chan_timeout
 [  472.096136] RIP: 0010:mutex_lock+0x88/0xc0
 [  472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88
 [  472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246
 [  472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865
 [  472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78
 [  472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f
 [  472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000
 [  472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00
 [  472.096136] FS:  0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
 [  472.096136] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [  472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0
 [  472.096136] Call Trace:
 [  472.096136]  <TASK>
 [  472.096136]  ? __die_body+0x8d/0xe0
 [  472.096136]  ? page_fault_oops+0x6b8/0x9a0
 [  472.096136]  ? kernelmode_fixup_or_oops+0x20c/0x2a0
 [  472.096136]  ? do_user_addr_fault+0x1027/0x1340
 [  472.096136]  ? _printk+0x7a/0xa0
 [  472.096136]  ? mutex_lock+0x68/0xc0
 [  472.096136]  ? add_taint+0x42/0xd0
 [  472.096136]  ? exc_page_fault+0x6a/0x1b0
 [  472.096136]  ? asm_exc_page_fault+0x26/0x30
 [  472.096136]  ? mutex_lock+0x75/0xc0
 [  472.096136]  ? mutex_lock+0x88/0xc0
 [  472.096136]  ? mutex_lock+0x75/0xc0
 [  472.096136]  l2cap_chan_timeout+0x181/0x300
 [  472.096136]  process_one_work+0x5d2/0xe00
 [  472.096136]  worker_thread+0xe1d/0x1660
 [  472.096136]  ? pr_cont_work+0x5e0/0x5e0
 [  472.096136]  kthread+0x2b7/0x350
 [  472.096136]  ? pr_cont_work+0x5e0/0x5e0
 [  472.096136]  ? kthread_blkcg+0xd0/0xd0
 [  472.096136]  ret_from_fork+0x4d/0x80
 [  472.096136]  ? kthread_blkcg+0xd0/0xd0
 [  472.096136]  ret_from_fork_asm+0x11/0x20
 [  472.096136]  </TASK>
 [  472.096136] Modules linked in:
 [  472.096136] CR2: 0000000000000158
 [  472.096136] ---[ end trace 0000000000000000 ]---
 [  472.096136] RIP: 0010:mutex_lock+0x88/0xc0
 [  472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88
 [  472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246
 [  472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865
 [  472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78
 [  472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f
 [  472.132932] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000
 [  472.132932] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00
 [  472.132932] FS:  0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
 [  472.132932] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [  472.132932] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0
 [  472.132932] Kernel panic - not syncing: Fatal exception
 [  472.132932] Kernel Offset: disabled
 [  472.132932] ---[ end Kernel panic - not syncing: Fatal exception ]---

 Add a check to judge whether the conn is null in l2cap_chan_timeout()
 in order to mitigate the bug.

 The Linux kernel CVE team has assigned CVE-2024-27399 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.4 with commit 3df91ea20e744344100b10ae69a17211fcf5b207 and fixed in 4.19.314 with commit e137e2ba96e51902dc2878131823a96bf8e638ae
 	Issue introduced in 3.4 with commit 3df91ea20e744344100b10ae69a17211fcf5b207 and fixed in 5.4.276 with commit 6466ee65e5b27161c846c73ef407f49dfa1bd1d9
 	Issue introduced in 3.4 with commit 3df91ea20e744344100b10ae69a17211fcf5b207 and fixed in 5.10.217 with commit 06acb75e7ed600d0bbf7bff5628aa8f24a97978c
 	Issue introduced in 3.4 with commit 3df91ea20e744344100b10ae69a17211fcf5b207 and fixed in 5.15.159 with commit e97e16433eb4533083b096a3824b93a5ca3aee79
 	Issue introduced in 3.4 with commit 3df91ea20e744344100b10ae69a17211fcf5b207 and fixed in 6.1.91 with commit 8960ff650aec70485b40771cd8e6e8c4cb467d33
 	Issue introduced in 3.4 with commit 3df91ea20e744344100b10ae69a17211fcf5b207 and fixed in 6.6.31 with commit 955b5b6c54d95b5e7444dfc81c95c8e013f27ac0
 	Issue introduced in 3.4 with commit 3df91ea20e744344100b10ae69a17211fcf5b207 and fixed in 6.8.10 with commit eb86f955488c39526534211f2610e48a5cf8ead4
 	Issue introduced in 3.4 with commit 3df91ea20e744344100b10ae69a17211fcf5b207 and fixed in 6.9 with commit adf0398cee86643b8eacde95f17d073d022f782c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-27399
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/bluetooth/l2cap_core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae
 	https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9
 	https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c
 	https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79
 	https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33
 	https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0
 	https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4
 	https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-27399: Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout

	There is a race condition between l2cap_chan_timeout() and
	l2cap_chan_del(). When we use l2cap_chan_del() to delete the
	channel, the chan->conn will be set to null. But the conn could
	be dereferenced again in the mutex_lock() of l2cap_chan_timeout().
	As a result the null pointer dereference bug will happen. The
	KASAN report triggered by POC is shown below:

	[ 472.074580] ==================================================================
	[ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0
	[ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7
	[ 472.075308]
	[ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36
	[ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4
	[ 472.075308] Workqueue: events l2cap_chan_timeout
	[ 472.075308] Call Trace:
	[ 472.075308] <TASK>
	[ 472.075308] dump_stack_lvl+0x137/0x1a0
	[ 472.075308] print_report+0x101/0x250
	[ 472.075308] ? __virt_addr_valid+0x77/0x160
	[ 472.075308] ? mutex_lock+0x68/0xc0
	[ 472.075308] kasan_report+0x139/0x170
	[ 472.075308] ? mutex_lock+0x68/0xc0
	[ 472.075308] kasan_check_range+0x2c3/0x2e0
	[ 472.075308] mutex_lock+0x68/0xc0
	[ 472.075308] l2cap_chan_timeout+0x181/0x300
	[ 472.075308] process_one_work+0x5d2/0xe00
	[ 472.075308] worker_thread+0xe1d/0x1660
	[ 472.075308] ? pr_cont_work+0x5e0/0x5e0
	[ 472.075308] kthread+0x2b7/0x350
	[ 472.075308] ? pr_cont_work+0x5e0/0x5e0
	[ 472.075308] ? kthread_blkcg+0xd0/0xd0
	[ 472.075308] ret_from_fork+0x4d/0x80
	[ 472.075308] ? kthread_blkcg+0xd0/0xd0
	[ 472.075308] ret_from_fork_asm+0x11/0x20
	[ 472.075308] </TASK>
	[ 472.075308] ==================================================================
	[ 472.094860] Disabling lock debugging due to kernel taint
	[ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158
	[ 472.096136] #PF: supervisor write access in kernel mode
	[ 472.096136] #PF: error_code(0x0002) - not-present page
	[ 472.096136] PGD 0 P4D 0
	[ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI
	[ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36
	[ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4
	[ 472.096136] Workqueue: events l2cap_chan_timeout
	[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0
	[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88
	[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246
	[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865
	[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78
	[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f
	[ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000
	[ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00
	[ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
	[ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0
	[ 472.096136] Call Trace:
	[ 472.096136] <TASK>
	[ 472.096136] ? __die_body+0x8d/0xe0
	[ 472.096136] ? page_fault_oops+0x6b8/0x9a0
	[ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0
	[ 472.096136] ? do_user_addr_fault+0x1027/0x1340
	[ 472.096136] ? _printk+0x7a/0xa0
	[ 472.096136] ? mutex_lock+0x68/0xc0
	[ 472.096136] ? add_taint+0x42/0xd0
	[ 472.096136] ? exc_page_fault+0x6a/0x1b0
	[ 472.096136] ? asm_exc_page_fault+0x26/0x30
	[ 472.096136] ? mutex_lock+0x75/0xc0
	[ 472.096136] ? mutex_lock+0x88/0xc0
	[ 472.096136] ? mutex_lock+0x75/0xc0
	[ 472.096136] l2cap_chan_timeout+0x181/0x300
	[ 472.096136] process_one_work+0x5d2/0xe00
	[ 472.096136] worker_thread+0xe1d/0x1660
	[ 472.096136] ? pr_cont_work+0x5e0/0x5e0
	[ 472.096136] kthread+0x2b7/0x350
	[ 472.096136] ? pr_cont_work+0x5e0/0x5e0
	[ 472.096136] ? kthread_blkcg+0xd0/0xd0
	[ 472.096136] ret_from_fork+0x4d/0x80
	[ 472.096136] ? kthread_blkcg+0xd0/0xd0
	[ 472.096136] ret_from_fork_asm+0x11/0x20
	[ 472.096136] </TASK>
	[ 472.096136] Modules linked in:
	[ 472.096136] CR2: 0000000000000158
	[ 472.096136] ---[ end trace 0000000000000000 ]---
	[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0
	[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88
	[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246
	[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865
	[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78
	[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f
	[ 472.132932] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000
	[ 472.132932] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00
	[ 472.132932] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
	[ 472.132932] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[ 472.132932] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0
	[ 472.132932] Kernel panic - not syncing: Fatal exception
	[ 472.132932] Kernel Offset: disabled
	[ 472.132932] ---[ end Kernel panic - not syncing: Fatal exception ]---

	Add a check to judge whether the conn is null in l2cap_chan_timeout()
	in order to mitigate the bug.

	The Linux kernel CVE team has assigned CVE-2024-27399 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.4 with commit 3df91ea20e744344100b10ae69a17211fcf5b207 and fixed in 4.19.314 with commit e137e2ba96e51902dc2878131823a96bf8e638ae
	Issue introduced in 3.4 with commit 3df91ea20e744344100b10ae69a17211fcf5b207 and fixed in 5.4.276 with commit 6466ee65e5b27161c846c73ef407f49dfa1bd1d9
	Issue introduced in 3.4 with commit 3df91ea20e744344100b10ae69a17211fcf5b207 and fixed in 5.10.217 with commit 06acb75e7ed600d0bbf7bff5628aa8f24a97978c
	Issue introduced in 3.4 with commit 3df91ea20e744344100b10ae69a17211fcf5b207 and fixed in 5.15.159 with commit e97e16433eb4533083b096a3824b93a5ca3aee79
	Issue introduced in 3.4 with commit 3df91ea20e744344100b10ae69a17211fcf5b207 and fixed in 6.1.91 with commit 8960ff650aec70485b40771cd8e6e8c4cb467d33
	Issue introduced in 3.4 with commit 3df91ea20e744344100b10ae69a17211fcf5b207 and fixed in 6.6.31 with commit 955b5b6c54d95b5e7444dfc81c95c8e013f27ac0
	Issue introduced in 3.4 with commit 3df91ea20e744344100b10ae69a17211fcf5b207 and fixed in 6.8.10 with commit eb86f955488c39526534211f2610e48a5cf8ead4
	Issue introduced in 3.4 with commit 3df91ea20e744344100b10ae69a17211fcf5b207 and fixed in 6.9 with commit adf0398cee86643b8eacde95f17d073d022f782c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-27399
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/bluetooth/l2cap_core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae
	https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9
	https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c
	https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79
	https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33
	https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0
	https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4
	https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c