cve-2022-49910
Vulnerability from cvelistv5
Published
2025-05-01 14:10
Modified
2025-05-04 08:48
Severity ?
EPSS score ?
Summary
Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu
References
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dc30e05bb18852303084430c03ca76e69257d9ea",
"status": "affected",
"version": "4b51dae96731c9d82f5634e75ac7ffd3b9c1b060",
"versionType": "git"
},
{
"lessThan": "03af22e23b96fb7ef75fb7885407ef457e8b403d",
"status": "affected",
"version": "4b51dae96731c9d82f5634e75ac7ffd3b9c1b060",
"versionType": "git"
},
{
"lessThan": "6c7407bfbeafc80a04e6eaedcf34d378532a04f2",
"status": "affected",
"version": "4b51dae96731c9d82f5634e75ac7ffd3b9c1b060",
"versionType": "git"
},
{
"lessThan": "4cd094fd5d872862ca278e15b9b51b07e915ef3f",
"status": "affected",
"version": "4b51dae96731c9d82f5634e75ac7ffd3b9c1b060",
"versionType": "git"
},
{
"lessThan": "cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569",
"status": "affected",
"version": "4b51dae96731c9d82f5634e75ac7ffd3b9c1b060",
"versionType": "git"
},
{
"lessThan": "8278a87bb1eeea94350d675ef961ee5a03341fde",
"status": "affected",
"version": "4b51dae96731c9d82f5634e75ac7ffd3b9c1b060",
"versionType": "git"
},
{
"lessThan": "9a04161244603f502c6e453913e51edd59cb70c1",
"status": "affected",
"version": "4b51dae96731c9d82f5634e75ac7ffd3b9c1b060",
"versionType": "git"
},
{
"lessThan": "3aff8aaca4e36dc8b17eaa011684881a80238966",
"status": "affected",
"version": "4b51dae96731c9d82f5634e75ac7ffd3b9c1b060",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.333",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.265",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.224",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.333",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.299",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.265",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.224",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.154",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.78",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.8",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu\n\nFix the race condition between the following two flows that run in\nparallel:\n\n1. l2cap_reassemble_sdu -\u003e chan-\u003eops-\u003erecv (l2cap_sock_recv_cb) -\u003e\n __sock_queue_rcv_skb.\n\n2. bt_sock_recvmsg -\u003e skb_recv_datagram, skb_free_datagram.\n\nAn SKB can be queued by the first flow and immediately dequeued and\nfreed by the second flow, therefore the callers of l2cap_reassemble_sdu\ncan\u0027t use the SKB after that function returns. However, some places\ncontinue accessing struct l2cap_ctrl that resides in the SKB\u0027s CB for a\nshort time after l2cap_reassemble_sdu returns, leading to a\nuse-after-free condition (the stack trace is below, line numbers for\nkernel 5.19.8).\n\nFix it by keeping a local copy of struct l2cap_ctrl.\n\nBUG: KASAN: use-after-free in l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth\nRead of size 1 at addr ffff88812025f2f0 by task kworker/u17:3/43169\n\nWorkqueue: hci0 hci_rx_work [bluetooth]\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))\n print_report.cold (mm/kasan/report.c:314 mm/kasan/report.c:429)\n ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth\n kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493)\n ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth\n l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth\n l2cap_rx (net/bluetooth/l2cap_core.c:7236 net/bluetooth/l2cap_core.c:7271) bluetooth\n ret_from_fork (arch/x86/entry/entry_64.S:306)\n \u003c/TASK\u003e\n\nAllocated by task 43169:\n kasan_save_stack (mm/kasan/common.c:39)\n __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469)\n kmem_cache_alloc_node (mm/slab.h:750 mm/slub.c:3243 mm/slub.c:3293)\n __alloc_skb (net/core/skbuff.c:414)\n l2cap_recv_frag (./include/net/bluetooth/bluetooth.h:425 net/bluetooth/l2cap_core.c:8329) bluetooth\n l2cap_recv_acldata (net/bluetooth/l2cap_core.c:8442) bluetooth\n hci_rx_work (net/bluetooth/hci_core.c:3642 net/bluetooth/hci_core.c:3832) bluetooth\n process_one_work (kernel/workqueue.c:2289)\n worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2437)\n kthread (kernel/kthread.c:376)\n ret_from_fork (arch/x86/entry/entry_64.S:306)\n\nFreed by task 27920:\n kasan_save_stack (mm/kasan/common.c:39)\n kasan_set_track (mm/kasan/common.c:45)\n kasan_set_free_info (mm/kasan/generic.c:372)\n ____kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328)\n slab_free_freelist_hook (mm/slub.c:1780)\n kmem_cache_free (mm/slub.c:3536 mm/slub.c:3553)\n skb_free_datagram (./include/net/sock.h:1578 ./include/net/sock.h:1639 net/core/datagram.c:323)\n bt_sock_recvmsg (net/bluetooth/af_bluetooth.c:295) bluetooth\n l2cap_sock_recvmsg (net/bluetooth/l2cap_sock.c:1212) bluetooth\n sock_read_iter (net/socket.c:1087)\n new_sync_read (./include/linux/fs.h:2052 fs/read_write.c:401)\n vfs_read (fs/read_write.c:482)\n ksys_read (fs/read_write.c:620)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:48:29.372Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dc30e05bb18852303084430c03ca76e69257d9ea"
},
{
"url": "https://git.kernel.org/stable/c/03af22e23b96fb7ef75fb7885407ef457e8b403d"
},
{
"url": "https://git.kernel.org/stable/c/6c7407bfbeafc80a04e6eaedcf34d378532a04f2"
},
{
"url": "https://git.kernel.org/stable/c/4cd094fd5d872862ca278e15b9b51b07e915ef3f"
},
{
"url": "https://git.kernel.org/stable/c/cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569"
},
{
"url": "https://git.kernel.org/stable/c/8278a87bb1eeea94350d675ef961ee5a03341fde"
},
{
"url": "https://git.kernel.org/stable/c/9a04161244603f502c6e453913e51edd59cb70c1"
},
{
"url": "https://git.kernel.org/stable/c/3aff8aaca4e36dc8b17eaa011684881a80238966"
}
],
"title": "Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49910",
"datePublished": "2025-05-01T14:10:53.010Z",
"dateReserved": "2025-05-01T14:05:17.247Z",
"dateUpdated": "2025-05-04T08:48:29.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-49910\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-01T15:16:16.147\",\"lastModified\":\"2025-05-02T13:52:51.693\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu\\n\\nFix the race condition between the following two flows that run in\\nparallel:\\n\\n1. l2cap_reassemble_sdu -\u003e chan-\u003eops-\u003erecv (l2cap_sock_recv_cb) -\u003e\\n __sock_queue_rcv_skb.\\n\\n2. bt_sock_recvmsg -\u003e skb_recv_datagram, skb_free_datagram.\\n\\nAn SKB can be queued by the first flow and immediately dequeued and\\nfreed by the second flow, therefore the callers of l2cap_reassemble_sdu\\ncan\u0027t use the SKB after that function returns. However, some places\\ncontinue accessing struct l2cap_ctrl that resides in the SKB\u0027s CB for a\\nshort time after l2cap_reassemble_sdu returns, leading to a\\nuse-after-free condition (the stack trace is below, line numbers for\\nkernel 5.19.8).\\n\\nFix it by keeping a local copy of struct l2cap_ctrl.\\n\\nBUG: KASAN: use-after-free in l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth\\nRead of size 1 at addr ffff88812025f2f0 by task kworker/u17:3/43169\\n\\nWorkqueue: hci0 hci_rx_work [bluetooth]\\nCall Trace:\\n \u003cTASK\u003e\\n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))\\n print_report.cold (mm/kasan/report.c:314 mm/kasan/report.c:429)\\n ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth\\n kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493)\\n ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth\\n l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth\\n l2cap_rx (net/bluetooth/l2cap_core.c:7236 net/bluetooth/l2cap_core.c:7271) bluetooth\\n ret_from_fork (arch/x86/entry/entry_64.S:306)\\n \u003c/TASK\u003e\\n\\nAllocated by task 43169:\\n kasan_save_stack (mm/kasan/common.c:39)\\n __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469)\\n kmem_cache_alloc_node (mm/slab.h:750 mm/slub.c:3243 mm/slub.c:3293)\\n __alloc_skb (net/core/skbuff.c:414)\\n l2cap_recv_frag (./include/net/bluetooth/bluetooth.h:425 net/bluetooth/l2cap_core.c:8329) bluetooth\\n l2cap_recv_acldata (net/bluetooth/l2cap_core.c:8442) bluetooth\\n hci_rx_work (net/bluetooth/hci_core.c:3642 net/bluetooth/hci_core.c:3832) bluetooth\\n process_one_work (kernel/workqueue.c:2289)\\n worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2437)\\n kthread (kernel/kthread.c:376)\\n ret_from_fork (arch/x86/entry/entry_64.S:306)\\n\\nFreed by task 27920:\\n kasan_save_stack (mm/kasan/common.c:39)\\n kasan_set_track (mm/kasan/common.c:45)\\n kasan_set_free_info (mm/kasan/generic.c:372)\\n ____kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328)\\n slab_free_freelist_hook (mm/slub.c:1780)\\n kmem_cache_free (mm/slub.c:3536 mm/slub.c:3553)\\n skb_free_datagram (./include/net/sock.h:1578 ./include/net/sock.h:1639 net/core/datagram.c:323)\\n bt_sock_recvmsg (net/bluetooth/af_bluetooth.c:295) bluetooth\\n l2cap_sock_recvmsg (net/bluetooth/l2cap_sock.c:1212) bluetooth\\n sock_read_iter (net/socket.c:1087)\\n new_sync_read (./include/linux/fs.h:2052 fs/read_write.c:401)\\n vfs_read (fs/read_write.c:482)\\n ksys_read (fs/read_write.c:620)\\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: L2CAP: Se corrige eluse-after-free causado por l2cap_reassemble_sdu. Se corrige la condici\u00f3n de ejecuci\u00f3n entre los dos flujos que se ejecutan en paralelo: 1. l2cap_reassemble_sdu -\u0026gt; chan-\u0026gt;ops-\u0026gt;recv (l2cap_sock_recv_cb) -\u0026gt; __sock_queue_rcv_skb. 2. bt_sock_recvmsg -\u0026gt; skb_recv_datagram, skb_free_datagram. Un SKB puede ser puesto en cola por el primer flujo e inmediatamente desencolado y liberado por el segundo flujo; por lo tanto, quienes llaman a l2cap_reassemble_sdu no pueden usar el SKB despu\u00e9s del retorno de la funci\u00f3n. Sin embargo, en algunos lugares, se contin\u00faa accediendo a la estructura l2cap_ctrl, que reside en el CB de la SKB, durante un breve periodo despu\u00e9s del retorno de l2cap_reassemble_sdu, lo que genera una condici\u00f3n de use-after-free (el seguimiento de la pila se encuentra a continuaci\u00f3n; los n\u00fameros de l\u00ednea corresponden al kernel 5.19.8). Para solucionarlo, mantenga una copia local de la estructura l2cap_ctrl. ERROR: KASAN: use-after-free en l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth Lectura de tama\u00f1o 1 en la direcci\u00f3n ffff88812025f2f0 por la tarea kworker/u17:3/43169 Cola de trabajo: hci0 hci_rx_work [bluetooth] Rastreo de llamadas: dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4)) print_report.cold (mm/kasan/report.c:314 mm/kasan/report.c:429) ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493) ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth l2cap_rx (net/bluetooth/l2cap_core.c:7236 net/bluetooth/l2cap_core.c:7271) bluetooth ret_from_fork (arch/x86/entry/entry_64.S:306) Allocated by task 43169: kasan_save_stack (mm/kasan/common.c:39) __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) kmem_cache_alloc_node (mm/slab.h:750 mm/slub.c:3243 mm/slub.c:3293) __alloc_skb (net/core/skbuff.c:414) l2cap_recv_frag (./include/net/bluetooth/bluetooth.h:425 net/bluetooth/l2cap_core.c:8329) bluetooth l2cap_recv_acldata (net/bluetooth/l2cap_core.c:8442) bluetooth hci_rx_work (net/bluetooth/hci_core.c:3642 net/bluetooth/hci_core.c:3832) bluetooth process_one_work (kernel/workqueue.c:2289) worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2437) kthread (kernel/kthread.c:376) ret_from_fork (arch/x86/entry/entry_64.S:306) Freed by task 27920: kasan_save_stack (mm/kasan/common.c:39) kasan_set_track (mm/kasan/common.c:45) kasan_set_free_info (mm/kasan/generic.c:372) ____kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328) slab_free_freelist_hook (mm/slub.c:1780) kmem_cache_free (mm/slub.c:3536 mm/slub.c:3553) skb_free_datagram (./include/net/sock.h:1578 ./include/net/sock.h:1639 net/core/datagram.c:323) bt_sock_recvmsg (net/bluetooth/af_bluetooth.c:295) bluetooth l2cap_sock_recvmsg (net/bluetooth/l2cap_sock.c:1212) bluetooth sock_read_iter (net/socket.c:1087) new_sync_read (./include/linux/fs.h:2052 fs/read_write.c:401) vfs_read (fs/read_write.c:482) ksys_read (fs/read_write.c:620) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) \"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/03af22e23b96fb7ef75fb7885407ef457e8b403d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3aff8aaca4e36dc8b17eaa011684881a80238966\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4cd094fd5d872862ca278e15b9b51b07e915ef3f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6c7407bfbeafc80a04e6eaedcf34d378532a04f2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8278a87bb1eeea94350d675ef961ee5a03341fde\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9a04161244603f502c6e453913e51edd59cb70c1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dc30e05bb18852303084430c03ca76e69257d9ea\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.