CVE-2024-36012 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: msft: fix slab-use-after-free in msft_do_close() Tying the msft->data lifetime to hdev by freeing it in hci_release_dev() to fix the following case: [use] msft_do_close() msft = hdev->msft_data; if (!msft) ...(1) <- passed. return; mutex_lock(&msft->filter_lock); ...(4) <- used after freed. [free] msft_unregister() msft = hdev->msft_data; hdev->msft_data = NULL; ...(2) kfree(msft); ...(3) <- msft is freed. ================================================================== BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock+0x8f/0xc30 kernel/locking/mutex.c:752 Read of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/10f9f426ac6e752c8d87bf4346930ba347aaabac
https://git.kernel.org/stable/c/4f1de02de07748da80a8178879bc7a1df37fdf56
https://git.kernel.org/stable/c/a85a60e62355e3bf4802dead7938966824b23940
https://git.kernel.org/stable/c/e3880b531b68f98d3941d83f2f6dd11cf4fd6b76
https://lore.kernel.org/linux-cve-announce/2024052314-CVE-2024-36012-3062@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-36012
https://www.cve.org/CVERecord?id=CVE-2024-36012

History

No history.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-05-23T07:03:06.904Z

Updated: 2024-11-05T09:26:45.852Z

Reserved: 2024-05-17T13:50:33.153Z

Link: CVE-2024-36012

Vulnrichment

Updated: 2024-08-02T03:30:12.508Z

NVD

Status : Awaiting Analysis

Published: 2024-05-23T07:15:08.900

Modified: 2024-05-24T01:15:30.977

Link: CVE-2024-36012

Redhat

Severity : Low

Publid Date: 2024-05-23T00:00:00Z

Links: CVE-2024-36012 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36012", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-17T13:50:33.153Z", "datePublished": "2024-05-23T07:03:06.904Z", "dateUpdated": "2024-11-05T09:26:45.852Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:26:45.852Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: msft: fix slab-use-after-free in msft_do_close()\n\nTying the msft->data lifetime to hdev by freeing it in\nhci_release_dev() to fix the following case:\n\n[use]\nmsft_do_close()\n msft = hdev->msft_data;\n if (!msft) ...(1) <- passed.\n return;\n mutex_lock(&msft->filter_lock); ...(4) <- used after freed.\n\n[free]\nmsft_unregister()\n msft = hdev->msft_data;\n hdev->msft_data = NULL; ...(2)\n kfree(msft); ...(3) <- msft is freed.\n\n==================================================================\nBUG: KASAN: slab-use-after-free in __mutex_lock_common\nkernel/locking/mutex.c:587 [inline]\nBUG: KASAN: slab-use-after-free in __mutex_lock+0x8f/0xc30\nkernel/locking/mutex.c:752\nRead of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/hci_core.c", "net/bluetooth/msft.c", "net/bluetooth/msft.h"], "versions": [{"version": "bf6a4e30ffbd", "lessThan": "e3880b531b68", "status": "affected", "versionType": "git"}, {"version": "bf6a4e30ffbd", "lessThan": "a85a60e62355", "status": "affected", "versionType": "git"}, {"version": "bf6a4e30ffbd", "lessThan": "4f1de02de077", "status": "affected", "versionType": "git"}, {"version": "bf6a4e30ffbd", "lessThan": "10f9f426ac6e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/hci_core.c", "net/bluetooth/msft.c", "net/bluetooth/msft.h"], "versions": [{"version": "5.12", "status": "affected"}, {"version": "0", "lessThan": "5.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.91", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.31", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.10", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/e3880b531b68f98d3941d83f2f6dd11cf4fd6b76"}, {"url": "https://git.kernel.org/stable/c/a85a60e62355e3bf4802dead7938966824b23940"}, {"url": "https://git.kernel.org/stable/c/4f1de02de07748da80a8178879bc7a1df37fdf56"}, {"url": "https://git.kernel.org/stable/c/10f9f426ac6e752c8d87bf4346930ba347aaabac"}], "title": "Bluetooth: msft: fix slab-use-after-free in msft_do_close()", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-10T18:54:16.912662Z", "id": "CVE-2024-36012", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-10T18:54:24.668Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:30:12.508Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/e3880b531b68f98d3941d83f2f6dd11cf4fd6b76", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a85a60e62355e3bf4802dead7938966824b23940", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/4f1de02de07748da80a8178879bc7a1df37fdf56", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/10f9f426ac6e752c8d87bf4346930ba347aaabac", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/e3880b531b68f98d3941d83f2f6dd11cf4fd6b76", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a85a60e62355e3bf4802dead7938966824b23940", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/4f1de02de07748da80a8178879bc7a1df37fdf56", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/10f9f426ac6e752c8d87bf4346930ba347aaabac", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:30:12.508Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36012", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-10T18:54:16.912662Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-10T18:54:22.070Z"}}], "cna": {"title": "Bluetooth: msft: fix slab-use-after-free in msft_do_close()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "bf6a4e30ffbd", "lessThan": "e3880b531b68", "versionType": "git"}, {"status": "affected", "version": "bf6a4e30ffbd", "lessThan": "a85a60e62355", "versionType": "git"}, {"status": "affected", "version": "bf6a4e30ffbd", "lessThan": "4f1de02de077", "versionType": "git"}, {"status": "affected", "version": "bf6a4e30ffbd", "lessThan": "10f9f426ac6e", "versionType": "git"}], "programFiles": ["net/bluetooth/hci_core.c", "net/bluetooth/msft.c", "net/bluetooth/msft.h"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.12"}, {"status": "unaffected", "version": "0", "lessThan": "5.12", "versionType": "custom"}, {"status": "unaffected", "version": "6.1.91", "versionType": "custom", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.31", "versionType": "custom", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.8.10", "versionType": "custom", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/bluetooth/hci_core.c", "net/bluetooth/msft.c", "net/bluetooth/msft.h"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/e3880b531b68f98d3941d83f2f6dd11cf4fd6b76"}, {"url": "https://git.kernel.org/stable/c/a85a60e62355e3bf4802dead7938966824b23940"}, {"url": "https://git.kernel.org/stable/c/4f1de02de07748da80a8178879bc7a1df37fdf56"}, {"url": "https://git.kernel.org/stable/c/10f9f426ac6e752c8d87bf4346930ba347aaabac"}], "x_generator": {"engine": "bippy-a5840b7849dd"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: msft: fix slab-use-after-free in msft_do_close()\n\nTying the msft->data lifetime to hdev by freeing it in\nhci_release_dev() to fix the following case:\n\n[use]\nmsft_do_close()\n msft = hdev->msft_data;\n if (!msft) ...(1) <- passed.\n return;\n mutex_lock(&msft->filter_lock); ...(4) <- used after freed.\n\n[free]\nmsft_unregister()\n msft = hdev->msft_data;\n hdev->msft_data = NULL; ...(2)\n kfree(msft); ...(3) <- msft is freed.\n\n==================================================================\nBUG: KASAN: slab-use-after-free in __mutex_lock_common\nkernel/locking/mutex.c:587 [inline]\nBUG: KASAN: slab-use-after-free in __mutex_lock+0x8f/0xc30\nkernel/locking/mutex.c:752\nRead of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-29T05:32:56.761Z"}}}, "cveMetadata": {"cveId": "CVE-2024-36012", "state": "PUBLISHED", "dateUpdated": "2024-08-02T03:30:12.508Z", "dateReserved": "2024-05-17T13:50:33.153Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-23T07:03:06.904Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: msft: fix slab-use-after-free in msft_do_close()\n\nTying the msft->data lifetime to hdev by freeing it in\nhci_release_dev() to fix the following case:\n\n[use]\nmsft_do_close()\n msft = hdev->msft_data;\n if (!msft) ...(1) <- passed.\n return;\n mutex_lock(&msft->filter_lock); ...(4) <- used after freed.\n\n[free]\nmsft_unregister()\n msft = hdev->msft_data;\n hdev->msft_data = NULL; ...(2)\n kfree(msft); ...(3) <- msft is freed.\n\n==================================================================\nBUG: KASAN: slab-use-after-free in __mutex_lock_common\nkernel/locking/mutex.c:587 [inline]\nBUG: KASAN: slab-use-after-free in __mutex_lock+0x8f/0xc30\nkernel/locking/mutex.c:752\nRead of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: Bluetooth: msft: corrija slab-use-after-free en msft_do_close() Vinculando la vida \u00fatil de msft->data a hdev liber\u00e1ndolo en hci_release_dev() para solucionar el siguiente caso: [usar] msft_do_close() msft = hdev->msft_data; if (!msft) ...(1) <- aprobado. devolver; mutex_lock(&msft->filter_lock); ...(4) <- usado despu\u00e9s de liberado. [gratis] msft_unregister() msft = hdev->msft_data; hdev->msft_data = NULL; ...(2) klibre(msft); ...(3) <- se libera msft. ==================================================== ================ ERROR: KASAN: slab-use-after-free en __mutex_lock_common kernel/locking/mutex.c:587 [en l\u00ednea] ERROR: KASAN: slab-use-after -free en __mutex_lock+0x8f/0xc30 kernel/locking/mutex.c:752 Lectura de tama\u00f1o 8 en addr ffff888106cbbca8 por tarea kworker/u5:2/309"}], "id": "CVE-2024-36012", "lastModified": "2024-05-24T01:15:30.977", "metrics": {}, "published": "2024-05-23T07:15:08.900", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/10f9f426ac6e752c8d87bf4346930ba347aaabac"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4f1de02de07748da80a8178879bc7a1df37fdf56"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a85a60e62355e3bf4802dead7938966824b23940"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e3880b531b68f98d3941d83f2f6dd11cf4fd6b76"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: Bluetooth: msft: fix slab-use-after-free in msft_do_close()", "id": "2282955", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2282955"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: msft: fix slab-use-after-free in msft_do_close()\nTying the msft->data lifetime to hdev by freeing it in\nhci_release_dev() to fix the following case:\n[use]\nmsft_do_close()\nmsft = hdev->msft_data;\nif (!msft) ...(1) <- passed.\nreturn;\nmutex_lock(&msft->filter_lock); ...(4) <- used after freed.\n[free]\nmsft_unregister()\nmsft = hdev->msft_data;\nhdev->msft_data = NULL; ...(2)\nkfree(msft); ...(3) <- msft is freed.\n==================================================================\nBUG: KASAN: slab-use-after-free in __mutex_lock_common\nkernel/locking/mutex.c:587 [inline]\nBUG: KASAN: slab-use-after-free in __mutex_lock+0x8f/0xc30\nkernel/locking/mutex.c:752\nRead of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309"], "name": "CVE-2024-36012", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-36012\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-36012\nhttps://lore.kernel.org/linux-cve-announce/2024052314-CVE-2024-36012-3062@gregkh/T"], "threat_severity": "Low", "upstream_fix": "kernel 6.1.91, kernel 6.6.31, kernel 6.8.10, kernel 6.9"}