ghsa-f6q4-wr98-4jf5
Vulnerability from github
Published
2024-07-29 15:30
Modified
2024-07-29 15:30
Details

In the Linux kernel, the following vulnerability has been resolved:

bluetooth/l2cap: sync sock recv cb and release

The problem occurs between the system call to close the sock and hci_rx_work, where the former releases the sock and the latter accesses it without lock protection.

       CPU0                       CPU1
       ----                       ----
       sock_close                 hci_rx_work
   l2cap_sock_release         hci_acldata_packet
   l2cap_sock_kill            l2cap_recv_frame
   sk_free                    l2cap_conless_channel
                              l2cap_sock_recv_cb

If hci_rx_work processes the data that needs to be received before the sock is closed, then everything is normal; Otherwise, the work thread may access the released sock when receiving data.

Add a chan mutex in the rx callback of the sock to achieve synchronization between the sock release and recv cb.

Sock is dead, so set chan data to NULL, avoid others use invalid sock pointer.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-41062"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-29T15:15:14Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbluetooth/l2cap: sync sock recv cb and release\n\nThe problem occurs between the system call to close the sock and hci_rx_work,\nwhere the former releases the sock and the latter accesses it without lock protection.\n\n           CPU0                       CPU1\n           ----                       ----\n           sock_close                 hci_rx_work\n\t   l2cap_sock_release         hci_acldata_packet\n\t   l2cap_sock_kill            l2cap_recv_frame\n\t   sk_free                    l2cap_conless_channel\n\t                              l2cap_sock_recv_cb\n\nIf hci_rx_work processes the data that needs to be received before the sock is\nclosed, then everything is normal; Otherwise, the work thread may access the\nreleased sock when receiving data.\n\nAdd a chan mutex in the rx callback of the sock to achieve synchronization between\nthe sock release and recv cb.\n\nSock is dead, so set chan data to NULL, avoid others use invalid sock pointer.",
  "id": "GHSA-f6q4-wr98-4jf5",
  "modified": "2024-07-29T15:30:44Z",
  "published": "2024-07-29T15:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41062"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3b732449b78183d17178db40be3a4401cf3cd629"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/605572e64cd9cebb05ed609d96cff05b50d18cdf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/89e856e124f9ae548572c56b1b70c2255705f8fe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b803f30ea23e0968b6c8285c42adf0d862ab2bf6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.