{ "threat_severity" : "Moderate", "public_date" : "2025-02-27T00:00:00Z", "bugzilla" : { "description" : "kernel: Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync", "id" : "2348592", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2348592" }, "cvss3" : { "cvss3_base_score" : "7.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync\nThis fixes the following crash:\n==================================================================\nBUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543\nRead of size 8 at addr ffff88814128f898 by task kworker/u9:4/5961\nCPU: 1 UID: 0 PID: 5961 Comm: kworker/u9:4 Not tainted 6.12.0-syzkaller-10684-gf1cd565ce577 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n\n__dump_stack lib/dump_stack.c:94 [inline]\ndump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:378 [inline]\nprint_report+0x169/0x550 mm/kasan/report.c:489\nkasan_report+0x143/0x180 mm/kasan/report.c:602\nmgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543\nhci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332\nprocess_one_work kernel/workqueue.c:3229 [inline]\nprocess_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310\nworker_thread+0x870/0xd30 kernel/workqueue.c:3391\nkthread+0x2f0/0x390 kernel/kthread.c:389\nret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\nAllocated by task 16026:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x3f/0x80 mm/kasan/common.c:68\npoison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\nkasan_kmalloc include/linux/kasan.h:260 [inline]\n__kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314\nkmalloc_noprof include/linux/slab.h:901 [inline]\nkzalloc_noprof include/linux/slab.h:1037 [inline]\nmgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269\nmgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296\nremove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568\nhci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712\nhci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832\nsock_sendmsg_nosec net/socket.c:711 [inline]\n__sock_sendmsg+0x221/0x270 net/socket.c:726\nsock_write_iter+0x2d7/0x3f0 net/socket.c:1147\nnew_sync_write fs/read_write.c:586 [inline]\nvfs_write+0xaeb/0xd30 fs/read_write.c:679\nksys_write+0x18f/0x2b0 fs/read_write.c:731\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nFreed by task 16022:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x3f/0x80 mm/kasan/common.c:68\nkasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\npoison_slab_object mm/kasan/common.c:247 [inline]\n__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\nkasan_slab_free include/linux/kasan.h:233 [inline]\nslab_free_hook mm/slub.c:2338 [inline]\nslab_free mm/slub.c:4598 [inline]\nkfree+0x196/0x420 mm/slub.c:4746\nmgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259\n__mgmt_power_off+0x183/0x430 net/bluetooth/mgmt.c:9550\nhci_dev_close_sync+0x6c4/0x11c0 net/bluetooth/hci_sync.c:5208\nhci_dev_do_close net/bluetooth/hci_core.c:483 [inline]\nhci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508\nsock_do_ioctl+0x158/0x460 net/socket.c:1209\nsock_ioctl+0x626/0x8e0 net/socket.c:1328\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_sys_ioctl fs/ioctl.c:906 [inline]\n__se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20095", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.8.1.el10_1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-58013\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-58013\nhttps://lore.kernel.org/linux-cve-announce/2025022656-CVE-2024-58013-55de@gregkh/T" ], "name" : "CVE-2024-58013", "csaw" : false }