In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: af_bluetooth: Fix deadlock
Attemting to do socklock on .recvmsg may cause a deadlock as shown bellow, so instead of using socksock this uses skreceivequeue.lock on btsockioctl to avoid the UAF:
INFO: task kworker/u9:1:121 blocked for more than 30 seconds. Not tainted 6.7.6-lemon #183 Workqueue: hci0 hcirxwork Call Trace: <TASK> _schedule+0x37d/0xa00 schedule+0x32/0xe0 _locksock+0x68/0xa0 ? _pfxautoremovewakefunction+0x10/0x10 locksocknested+0x43/0x50 l2capsockrecvcb+0x21/0xa0 l2caprecvframe+0x55b/0x30a0 ? psitaskswitch+0xeb/0x270 ? finishtaskswitch.isra.0+0x93/0x2a0 hcirxwork+0x33a/0x3f0 processonework+0x13a/0x2f0 workerthread+0x2f0/0x410 ? _pfxworkerthread+0x10/0x10 kthread+0xe0/0x110 ? _pfxkthread+0x10/0x10 retfromfork+0x2c/0x50 ? _pfxkthread+0x10/0x10 retfromfork_asm+0x1b/0x30 </TASK>
{ "vanir_signatures": [ { "deprecated": false, "signature_type": "Function", "target": { "file": "net/bluetooth/af_bluetooth.c", "function": "bt_sock_ioctl" }, "id": "CVE-2024-26886-2b18f6a8", "digest": { "length": 711.0, "function_hash": "196252987248876308324069930954589162096" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@817e8138ce86001b2fa5c63d6ede756e205a01f7" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "net/bluetooth/af_bluetooth.c", "function": "bt_sock_ioctl" }, "id": "CVE-2024-26886-2f9b948f", "digest": { "length": 711.0, "function_hash": "196252987248876308324069930954589162096" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@64be3c6154886200708da0dfe259705fb992416c" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "net/bluetooth/af_bluetooth.c" }, "id": "CVE-2024-26886-3d84c9cf", "digest": { "line_hashes": [ "89637810291529625448318036047291808081", "105287374664932283482852958947152337858", "196225965562277420786743192570288193615", "117573733608931068894347456593390861960", "290523732087716491318563477003135004086", "154780877489707301270981110744025065399", "268457973936372372190111675041442695126", "314496338203946258088758740498679197942", "151858983397592350213887904929499503046", "61654348715760174541077979820942064773", "60686236654598668637698990873328503192", "140661661089106894684618305506570166993", "209745624945823077680121397388964621821", "310562879981190672708548979960036910130", "49313499978712262277701569829656046185", "289474280709839712815483283814980038003", "254776546058630684482152272007103436421", "90179071647577716147430098285196722790", "312536869541041342543160219547955467833", "116114851776929222633345552953999729467" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@64be3c6154886200708da0dfe259705fb992416c" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "net/bluetooth/af_bluetooth.c", "function": "bt_sock_ioctl" }, "id": "CVE-2024-26886-537fc426", "digest": { "length": 711.0, "function_hash": "196252987248876308324069930954589162096" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f7b94bdc1ec107c92262716b073b3e816d4784fb" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "net/bluetooth/af_bluetooth.c", "function": "bt_sock_recvmsg" }, "id": "CVE-2024-26886-6e8b48bd", "digest": { "length": 1088.0, "function_hash": "86064609374047583915165295774071017037" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2c9e2df022ef8b9d7fac58a04a2ef4ed25288955" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "net/bluetooth/af_bluetooth.c" }, "id": "CVE-2024-26886-7e82aa52", "digest": { "line_hashes": [ "89637810291529625448318036047291808081", "105287374664932283482852958947152337858", "196225965562277420786743192570288193615", "117573733608931068894347456593390861960", "290523732087716491318563477003135004086", "154780877489707301270981110744025065399", "268457973936372372190111675041442695126", "314496338203946258088758740498679197942", "151858983397592350213887904929499503046", "61654348715760174541077979820942064773", "60686236654598668637698990873328503192", "140661661089106894684618305506570166993", "209745624945823077680121397388964621821", "310562879981190672708548979960036910130", "49313499978712262277701569829656046185", "289474280709839712815483283814980038003", "254776546058630684482152272007103436421", "90179071647577716147430098285196722790", "312536869541041342543160219547955467833", "116114851776929222633345552953999729467" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f7b94bdc1ec107c92262716b073b3e816d4784fb" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "net/bluetooth/af_bluetooth.c", "function": "bt_sock_ioctl" }, "id": "CVE-2024-26886-b669b53b", "digest": { "length": 711.0, "function_hash": "196252987248876308324069930954589162096" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2c9e2df022ef8b9d7fac58a04a2ef4ed25288955" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "net/bluetooth/af_bluetooth.c" }, "id": "CVE-2024-26886-c433c537", "digest": { "line_hashes": [ "89637810291529625448318036047291808081", "105287374664932283482852958947152337858", "196225965562277420786743192570288193615", "117573733608931068894347456593390861960", "290523732087716491318563477003135004086", "154780877489707301270981110744025065399", "268457973936372372190111675041442695126", "314496338203946258088758740498679197942", "151858983397592350213887904929499503046", "61654348715760174541077979820942064773", "60686236654598668637698990873328503192", "140661661089106894684618305506570166993", "209745624945823077680121397388964621821", "310562879981190672708548979960036910130", "49313499978712262277701569829656046185", "289474280709839712815483283814980038003", "254776546058630684482152272007103436421", "90179071647577716147430098285196722790", "312536869541041342543160219547955467833", "116114851776929222633345552953999729467" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2c9e2df022ef8b9d7fac58a04a2ef4ed25288955" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "net/bluetooth/af_bluetooth.c" }, "id": "CVE-2024-26886-cb026f11", "digest": { "line_hashes": [ "89637810291529625448318036047291808081", "105287374664932283482852958947152337858", "196225965562277420786743192570288193615", "117573733608931068894347456593390861960", "290523732087716491318563477003135004086", "154780877489707301270981110744025065399", "268457973936372372190111675041442695126", "314496338203946258088758740498679197942", "151858983397592350213887904929499503046", "61654348715760174541077979820942064773", "60686236654598668637698990873328503192", "140661661089106894684618305506570166993", "209745624945823077680121397388964621821", "310562879981190672708548979960036910130", "49313499978712262277701569829656046185", "289474280709839712815483283814980038003", "254776546058630684482152272007103436421", "90179071647577716147430098285196722790", "312536869541041342543160219547955467833", "116114851776929222633345552953999729467" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@817e8138ce86001b2fa5c63d6ede756e205a01f7" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "net/bluetooth/af_bluetooth.c", "function": "bt_sock_recvmsg" }, "id": "CVE-2024-26886-ef107c70", "digest": { "length": 1088.0, "function_hash": "86064609374047583915165295774071017037" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f7b94bdc1ec107c92262716b073b3e816d4784fb" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "net/bluetooth/af_bluetooth.c", "function": "bt_sock_recvmsg" }, "id": "CVE-2024-26886-f9c885d1", "digest": { "length": 1088.0, "function_hash": "86064609374047583915165295774071017037" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@64be3c6154886200708da0dfe259705fb992416c" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "net/bluetooth/af_bluetooth.c", "function": "bt_sock_recvmsg" }, "id": "CVE-2024-26886-fb820c36", "digest": { "length": 1088.0, "function_hash": "86064609374047583915165295774071017037" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@817e8138ce86001b2fa5c63d6ede756e205a01f7" } ] }