CVE-2023-53046

There is a potential race condition in hcicmdsyncwork and hcicmdsyncclear, and could lead to use-after-free. For instance, hcicmdsyncwork is added to the 'reqworkqueue' after cancelworksync The entry of 'cmdsyncworklist' may be freed in hcicmdsyncclear, and causing kernel panic when it is used in 'hcicmdsync_work'.

Here's the call trace:

dumpstacklvl+0x49/0x63 printreport.cold+0x5e/0x5d3 ? hcicmdsyncwork+0x282/0x320 kasanreport+0xaa/0x120 ? hcicmdsyncwork+0x282/0x320 _asanreportload8noabort+0x14/0x20 hcicmdsyncwork+0x282/0x320 processonework+0x77b/0x11c0 ? _rawspinlockirq+0x8e/0xf0 workerthread+0x544/0x1180 ? pollidle+0x1e0/0x1e0 kthread+0x285/0x320 ? processonework+0x11c0/0x11c0 ? kthreadcompleteandexit+0x30/0x30 retfrom_fork+0x22/0x30 </TASK>

Allocated by task 266: kasansavestack+0x26/0x50 _kasankmalloc+0xae/0xe0 kmemcachealloctrace+0x191/0x350 hcicmdsyncqueue+0x97/0x2b0 hciupdatepassivescan+0x176/0x1d0 leconncompleteevt+0x1b5/0x1a00 hcileconncompleteevt+0x234/0x340 hcilemetaevt+0x231/0x4e0 hcieventpacket+0x4c5/0xf00 hcirxwork+0x37d/0x880 processonework+0x77b/0x11c0 workerthread+0x544/0x1180 kthread+0x285/0x320 retfromfork+0x22/0x30

Freed by task 269: kasansavestack+0x26/0x50 kasansettrack+0x25/0x40 kasansetfreeinfo+0x24/0x40 kasanslabfree+0x176/0x1c0 _kasanslabfree+0x12/0x20 slabfreefreelisthook+0x95/0x1a0 kfree+0xba/0x2f0 hcicmdsyncclear+0x14c/0x210 hciunregisterdev+0xff/0x440 vhcirelease+0x7b/0xf0 _fput+0x1f3/0x970 fput+0xe/0x20 taskworkrun+0xd4/0x160 doexit+0x8b0/0x22a0 dogroupexit+0xba/0x2a0 getsignal+0x1e4a/0x25b0 archdosignalorrestart+0x93/0x1f80 exittousermodeprepare+0xf5/0x1a0 syscallexittousermode+0x26/0x50 retfromfork+0x15/0x30

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53046.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

6a98e3836fa2077b169f10a35c2ca9952d53f987

Fixed

608901a77c945ac15dea23f6098c9882ef19d9f0

Fixed

be586211a3ab40a4f4ca60450e0d31606afc55ec

Fixed

1c66bee492a5fe00ae3fe890bb693bfc99f994c6

Affected versions

v5.*

v5.15

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.17

v5.17-rc1

v5.17-rc2

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.1.1

v6.1.10

v6.1.11

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.16

v6.1.17

v6.1.18

v6.1.19

v6.1.2

v6.1.20

v6.1.21

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.1.7

v6.1.8

v6.1.9

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.2.1

v6.2.2

v6.2.3

v6.2.4

v6.2.5

v6.2.6

v6.2.7

v6.2.8

v6.3-rc1

v6.3-rc2

Database specific

vanir_signatures

[
    {
        "id": "CVE-2023-53046-694c60e0",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@be586211a3ab40a4f4ca60450e0d31606afc55ec",
        "target": {
            "function": "hci_cmd_sync_clear",
            "file": "net/bluetooth/hci_sync.c"
        },
        "digest": {
            "length": 349.0,
            "function_hash": "173380357038334562750108536634516528325"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2023-53046-7afcd9ad",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1c66bee492a5fe00ae3fe890bb693bfc99f994c6",
        "target": {
            "function": "hci_cmd_sync_clear",
            "file": "net/bluetooth/hci_sync.c"
        },
        "digest": {
            "length": 349.0,
            "function_hash": "173380357038334562750108536634516528325"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2023-53046-81790950",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@be586211a3ab40a4f4ca60450e0d31606afc55ec",
        "target": {
            "file": "net/bluetooth/hci_sync.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "175019492376611449675075486276114993993",
                "122453303293480490511791038190974629321",
                "314416607539284292529988246280311262358",
                "184409404569345689771690544507478388142",
                "36269594970507483813703611910581142301",
                "325495329103730460454664433431531179290",
                "179312770321240180851206067588701425122"
            ]
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2023-53046-8cf8fd76",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@608901a77c945ac15dea23f6098c9882ef19d9f0",
        "target": {
            "file": "net/bluetooth/hci_sync.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "175019492376611449675075486276114993993",
                "122453303293480490511791038190974629321",
                "314416607539284292529988246280311262358",
                "184409404569345689771690544507478388142",
                "36269594970507483813703611910581142301",
                "325495329103730460454664433431531179290",
                "179312770321240180851206067588701425122"
            ]
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2023-53046-e1f44cd7",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1c66bee492a5fe00ae3fe890bb693bfc99f994c6",
        "target": {
            "file": "net/bluetooth/hci_sync.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "175019492376611449675075486276114993993",
                "122453303293480490511791038190974629321",
                "314416607539284292529988246280311262358",
                "184409404569345689771690544507478388142",
                "36269594970507483813703611910581142301",
                "325495329103730460454664433431531179290",
                "179312770321240180851206067588701425122"
            ]
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2023-53046-f3e42da0",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@608901a77c945ac15dea23f6098c9882ef19d9f0",
        "target": {
            "function": "hci_cmd_sync_clear",
            "file": "net/bluetooth/hci_sync.c"
        },
        "digest": {
            "length": 349.0,
            "function_hash": "173380357038334562750108536634516528325"
        },
        "signature_type": "Function"
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53046.json"

Git / github.com/gregkh/linux