cve/published/2024/CVE-2024-58009.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-58009: Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc

 A NULL sock pointer is passed into l2cap_sock_alloc() when it is called
 from l2cap_sock_new_connection_cb() and the error handling paths should
 also be aware of it.

 Seemingly a more elegant solution would be to swap bt_sock_alloc() and
 l2cap_chan_create() calls since they are not interdependent to that moment
 but then l2cap_chan_create() adds the soon to be deallocated and still
 dummy-initialized channel to the global list accessible by many L2CAP
 paths. The channel would be removed from the list in short period of time
 but be a bit more straight-forward here and just check for NULL instead of
 changing the order of function calls.

 Found by Linux Verification Center (linuxtesting.org) with SVACE static
 analysis tool.

 The Linux kernel CVE team has assigned CVE-2024-58009 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.4.287 with commit f6ad641646b67f29c7578dcd6c25813c7dcbf51e and fixed in 5.4.291 with commit a9a7672fc1a0fe18502493936ccb06413ab89ea6
 	Issue introduced in 5.10.231 with commit daa13175a6dea312a76099066cb4cbd4fc959a84 and fixed in 5.10.235 with commit 8e605f580a97530e5a3583beea458a3fa4cbefbd
 	Issue introduced in 5.15.174 with commit a8677028dd5123e5e525b8195483994d87123de4 and fixed in 5.15.179 with commit cf601a24120c674cd7c907ea695f92617af6abd0
 	Issue introduced in 6.1.120 with commit bb2f2342a6ddf7c04f9aefbbfe86104cd138e629 and fixed in 6.1.129 with commit 297ce7f544aa675b0d136d788cad0710cdfb0785
 	Issue introduced in 6.6.66 with commit 8ad09ddc63ace3950ac43db6fbfe25b40f589dd6 and fixed in 6.6.78 with commit 245d48c1ba3e7a1779c2f4cbc6f581ddc8a78e22
 	Issue introduced in 6.12.5 with commit 61686abc2f3c2c67822aa23ce6f160467ec83d35 and fixed in 6.12.14 with commit 691218a50c3139f7f57ffa79fb89d932eda9571e
 	Issue introduced in 6.13 with commit 7c4f78cdb8e7501e9f92d291a7d956591bf73be9 and fixed in 6.13.3 with commit 49c0d55d59662430f1829ae85b969619573d0fa1
 	Issue introduced in 6.13 with commit 7c4f78cdb8e7501e9f92d291a7d956591bf73be9 and fixed in 6.14 with commit 5f397409f8ee5bc82901eeaf799e1cbc4f8edcf1

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-58009
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/bluetooth/l2cap_sock.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/a9a7672fc1a0fe18502493936ccb06413ab89ea6
 	https://git.kernel.org/stable/c/8e605f580a97530e5a3583beea458a3fa4cbefbd
 	https://git.kernel.org/stable/c/cf601a24120c674cd7c907ea695f92617af6abd0
 	https://git.kernel.org/stable/c/297ce7f544aa675b0d136d788cad0710cdfb0785
 	https://git.kernel.org/stable/c/245d48c1ba3e7a1779c2f4cbc6f581ddc8a78e22
 	https://git.kernel.org/stable/c/691218a50c3139f7f57ffa79fb89d932eda9571e
 	https://git.kernel.org/stable/c/49c0d55d59662430f1829ae85b969619573d0fa1
 	https://git.kernel.org/stable/c/5f397409f8ee5bc82901eeaf799e1cbc4f8edcf1
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-58009: Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc

	A NULL sock pointer is passed into l2cap_sock_alloc() when it is called
	from l2cap_sock_new_connection_cb() and the error handling paths should
	also be aware of it.

	Seemingly a more elegant solution would be to swap bt_sock_alloc() and
	l2cap_chan_create() calls since they are not interdependent to that moment
	but then l2cap_chan_create() adds the soon to be deallocated and still
	dummy-initialized channel to the global list accessible by many L2CAP
	paths. The channel would be removed from the list in short period of time
	but be a bit more straight-forward here and just check for NULL instead of
	changing the order of function calls.

	Found by Linux Verification Center (linuxtesting.org) with SVACE static
	analysis tool.

	The Linux kernel CVE team has assigned CVE-2024-58009 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.4.287 with commit f6ad641646b67f29c7578dcd6c25813c7dcbf51e and fixed in 5.4.291 with commit a9a7672fc1a0fe18502493936ccb06413ab89ea6
	Issue introduced in 5.10.231 with commit daa13175a6dea312a76099066cb4cbd4fc959a84 and fixed in 5.10.235 with commit 8e605f580a97530e5a3583beea458a3fa4cbefbd
	Issue introduced in 5.15.174 with commit a8677028dd5123e5e525b8195483994d87123de4 and fixed in 5.15.179 with commit cf601a24120c674cd7c907ea695f92617af6abd0
	Issue introduced in 6.1.120 with commit bb2f2342a6ddf7c04f9aefbbfe86104cd138e629 and fixed in 6.1.129 with commit 297ce7f544aa675b0d136d788cad0710cdfb0785
	Issue introduced in 6.6.66 with commit 8ad09ddc63ace3950ac43db6fbfe25b40f589dd6 and fixed in 6.6.78 with commit 245d48c1ba3e7a1779c2f4cbc6f581ddc8a78e22
	Issue introduced in 6.12.5 with commit 61686abc2f3c2c67822aa23ce6f160467ec83d35 and fixed in 6.12.14 with commit 691218a50c3139f7f57ffa79fb89d932eda9571e
	Issue introduced in 6.13 with commit 7c4f78cdb8e7501e9f92d291a7d956591bf73be9 and fixed in 6.13.3 with commit 49c0d55d59662430f1829ae85b969619573d0fa1
	Issue introduced in 6.13 with commit 7c4f78cdb8e7501e9f92d291a7d956591bf73be9 and fixed in 6.14 with commit 5f397409f8ee5bc82901eeaf799e1cbc4f8edcf1

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-58009
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/bluetooth/l2cap_sock.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/a9a7672fc1a0fe18502493936ccb06413ab89ea6
	https://git.kernel.org/stable/c/8e605f580a97530e5a3583beea458a3fa4cbefbd
	https://git.kernel.org/stable/c/cf601a24120c674cd7c907ea695f92617af6abd0
	https://git.kernel.org/stable/c/297ce7f544aa675b0d136d788cad0710cdfb0785
	https://git.kernel.org/stable/c/245d48c1ba3e7a1779c2f4cbc6f581ddc8a78e22
	https://git.kernel.org/stable/c/691218a50c3139f7f57ffa79fb89d932eda9571e
	https://git.kernel.org/stable/c/49c0d55d59662430f1829ae85b969619573d0fa1
	https://git.kernel.org/stable/c/5f397409f8ee5bc82901eeaf799e1cbc4f8edcf1