{ "threat_severity" : "Moderate", "public_date" : "2024-12-27T00:00:00Z", "bugzilla" : { "description" : "kernel: Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync", "id" : "2334392", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2334392" }, "cvss3" : { "cvss3_base_score" : "6.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync\nThis fixes the following crash:\n==================================================================\nBUG: KASAN: slab-use-after-free in set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353\nRead of size 8 at addr ffff888029b4dd18 by task kworker/u9:0/54\nCPU: 1 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-01155-gf723224742fc #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n\n__dump_stack lib/dump_stack.c:93 [inline]\ndump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\nprint_address_description mm/kasan/report.c:377 [inline]\nprint_report+0x169/0x550 mm/kasan/report.c:488\nq kasan_report+0x143/0x180 mm/kasan/report.c:601\nset_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353\nhci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:328\nprocess_one_work kernel/workqueue.c:3231 [inline]\nprocess_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312\nworker_thread+0x86d/0xd10 kernel/workqueue.c:3389\nkthread+0x2f0/0x390 kernel/kthread.c:389\nret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\nAllocated by task 5247:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x3f/0x80 mm/kasan/common.c:68\npoison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\nkasan_kmalloc include/linux/kasan.h:211 [inline]\n__kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4193\nkmalloc_noprof include/linux/slab.h:681 [inline]\nkzalloc_noprof include/linux/slab.h:807 [inline]\nmgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269\nmgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296\nset_powered+0x3cd/0x5e0 net/bluetooth/mgmt.c:1394\nhci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712\nhci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0x221/0x270 net/socket.c:745\nsock_write_iter+0x2dd/0x400 net/socket.c:1160\nnew_sync_write fs/read_write.c:497 [inline]\nvfs_write+0xa72/0xc90 fs/read_write.c:590\nksys_write+0x1a0/0x2c0 fs/read_write.c:643\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nFreed by task 5246:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x3f/0x80 mm/kasan/common.c:68\nkasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579\npoison_slab_object+0xe0/0x150 mm/kasan/common.c:240\n__kasan_slab_free+0x37/0x60 mm/kasan/common.c:256\nkasan_slab_free include/linux/kasan.h:184 [inline]\nslab_free_hook mm/slub.c:2256 [inline]\nslab_free mm/slub.c:4477 [inline]\nkfree+0x149/0x360 mm/slub.c:4598\nsettings_rsp+0x2bc/0x390 net/bluetooth/mgmt.c:1443\nmgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259\n__mgmt_power_off+0x112/0x420 net/bluetooth/mgmt.c:9455\nhci_dev_close_sync+0x665/0x11a0 net/bluetooth/hci_sync.c:5191\nhci_dev_do_close net/bluetooth/hci_core.c:483 [inline]\nhci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508\nsock_do_ioctl+0x158/0x460 net/socket.c:1222\nsock_ioctl+0x629/0x8e0 net/socket.c:1341\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_sys_ioctl fs/ioctl.c:907 [inline]\n__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83gv\nentry_SYSCALL_64_after_hwframe+0x77/0x7f" ], "statement" : "This issue is considered to be a moderate impact flaw, as the exploitation for this will need an ADMIN (or ROOT) privilege (PR:H).", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-53208\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-53208\nhttps://lore.kernel.org/linux-cve-announce/2024122729-CVE-2024-53208-dff3@gregkh/T" ], "name" : "CVE-2024-53208", "csaw" : false }