PRIOn Logo

CVE-2024-36013 Design/Logic Flaw

Routine
Remediate Within 6 Months

CVE Information

Original CVE data

Published:
Updated:

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect() Extend a critical section to prevent chan from early freeing. Also make the l2cap_connect() return type void. Nothing is using the returned value but it is ugly to return a potentially freed pointer. Making it void will help with backports because earlier kernels did use the return value. Now the compile will break for kernels where this patch is not a complete fix. Call stack summary: [use] l2cap_bredr_sig_cmd l2cap_connect + mutex_lock(&conn->chan_lock); ¦ chan = pchan->ops->new_connection(pchan); <- alloc chan ¦ __l2cap_chan_add(conn, chan); ¦ l2cap_chan_hold(chan); ¦ list_add(&chan->list, &conn->chan_l); ... (1) + mutex_unlock(&conn->chan_lock); chan->conf_state ... (4) <- use after free [free] l2cap_conn_del + mutex_lock(&conn->chan_lock); ¦ foreach chan in conn->chan_l: ... (2) ¦ l2cap_chan_put(chan); ¦ l2cap_chan_destroy ¦ kfree(chan) ... (3) <- chan freed + mutex_unlock(&conn->chan_lock); ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: slab-use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0 net/bluetooth/l2cap_core.c:4260 Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311

CWE:
CVSS v2-
CVSS v3-
References
https://git.kernel.org/stable/c/4d7b41c0e43995b0e992b9f8903109275744b658
https://git.kernel.org/stable/c/cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5
https://git.kernel.org/stable/c/826af9d2f69567c646ff46d10393d47e30ad23c6
Affected Vendors

Basic Analysis

Common vulnerability metrics

Vulnerabilty type as detected by PRIOnengine

Design/Logic Flaw

CVSS Scores as calculated by PRIOnengine
CVSS v25
AV:N/AC:L/AU:N/C:N/I:N/A:P
CVSS v38.1
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
MITRE CWE Top 25

-

Exploits

No exploit code is reported to exist.

Active Exploitation

Vulnerability is not in CISA's Known Exploited Vulnerabilities (KEV) catalog. See the KEV Catalog

Social Network Activity

-

Threat Actor Activity

No sightings of the vulnerability within threat reports.

Cybersecurity Frameworks

How the vulnerability maps against various cybersecurity frameworks

T1499.004 - Endpoint Denial of Service (Application or System Exploitation)
T1203 - Exploitation for Client Execution
T1059 - Command and Scripting Interpreter

Compliance Impact

How the submited vulnerability affects compliance

PCI DSS v3.2.1-6.5.2 - Buffer Overflows

Web Application Security Frameworks

Applicable if the issue likely affects a web application

-