vulnerability
Red Hat: CVE-2024-36013: kernel: Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect() (Multiple Advisories)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:A/AC:L/Au:N/C:P/I:N/A:C) | May 23, 2024 | May 15, 2025 | May 15, 2025 |
Description
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()
Extend a critical section to prevent chan from early freeing.
Also make the l2cap_connect() return type void. Nothing is using the
returned value but it is ugly to return a potentially freed pointer.
Making it void will help with backports because earlier kernels did use
the return value. Now the compile will break for kernels where this
patch is not a complete fix.
Call stack summary:
[use]
l2cap_bredr_sig_cmd
l2cap_connect
+ mutex_lock(&conn->chan_lock);
¦ chan = pchan->ops->new_connection(pchan); ¦ __l2cap_chan_add(conn, chan);
¦ l2cap_chan_hold(chan);
¦ list_add(&chan->list, &conn->chan_l); ... (1)
+ mutex_unlock(&conn->chan_lock);
chan->conf_state ... (4)
[free]
l2cap_conn_del
+ mutex_lock(&conn->chan_lock);
¦ foreach chan in conn->chan_l: ... (2)
¦ l2cap_chan_put(chan);
¦ l2cap_chan_destroy
¦ kfree(chan) ... (3) + mutex_unlock(&conn->chan_lock);
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read
include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in _test_bit
include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0
net/bluetooth/l2cap_core.c:4260
Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311
Solution(s)
References
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.