CVE-2024-27399

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: l2cap: fix null-ptr-deref in l2capchantimeout

There is a race condition between l2capchantimeout() and l2capchandel(). When we use l2capchandel() to delete the channel, the chan->conn will be set to null. But the conn could be dereferenced again in the mutexlock() of l2capchan_timeout(). As a result the null pointer dereference bug will happen. The KASAN report triggered by POC is shown below:

[ 472.074580] ================================================================== [ 472.075284] BUG: KASAN: null-ptr-deref in mutexlock+0x68/0xc0 [ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7 [ 472.075308] [ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36 [ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [ 472.075308] Workqueue: events l2capchantimeout [ 472.075308] Call Trace: [ 472.075308] <TASK> [ 472.075308] dumpstacklvl+0x137/0x1a0 [ 472.075308] printreport+0x101/0x250 [ 472.075308] ? _virtaddrvalid+0x77/0x160 [ 472.075308] ? mutexlock+0x68/0xc0 [ 472.075308] kasanreport+0x139/0x170 [ 472.075308] ? mutexlock+0x68/0xc0 [ 472.075308] kasancheckrange+0x2c3/0x2e0 [ 472.075308] mutexlock+0x68/0xc0 [ 472.075308] l2capchantimeout+0x181/0x300 [ 472.075308] processonework+0x5d2/0xe00 [ 472.075308] workerthread+0xe1d/0x1660 [ 472.075308] ? prcontwork+0x5e0/0x5e0 [ 472.075308] kthread+0x2b7/0x350 [ 472.075308] ? prcontwork+0x5e0/0x5e0 [ 472.075308] ? kthreadblkcg+0xd0/0xd0 [ 472.075308] retfromfork+0x4d/0x80 [ 472.075308] ? kthreadblkcg+0xd0/0xd0 [ 472.075308] retfromforkasm+0x11/0x20 [ 472.075308] </TASK> [ 472.075308] ================================================================== [ 472.094860] Disabling lock debugging due to kernel taint [ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158 [ 472.096136] #PF: supervisor write access in kernel mode [ 472.096136] #PF: errorcode(0x0002) - not-present page [ 472.096136] PGD 0 P4D 0 [ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI [ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36 [ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [ 472.096136] Workqueue: events l2capchantimeout [ 472.096136] RIP: 0010:mutexlock+0x88/0xc0 [ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88 [ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246 [ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865 [ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78 [ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f [ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000 [ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00 [ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000 [ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0 [ 472.096136] Call Trace: [ 472.096136] <TASK> [ 472.096136] ? _diebody+0x8d/0xe0 [ 472.096136] ? pagefaultoops+0x6b8/0x9a0 [ 472.096136] ? kernelmodefixuporoops+0x20c/0x2a0 [ 472.096136] ? douseraddrfault+0x1027/0x1340 [ 472.096136] ? _printk+0x7a/0xa0 [ 472.096136] ? mutexlock+0x68/0xc0 [ 472.096136] ? addtaint+0x42/0xd0 [ 472.096136] ? excpagefault+0x6a/0x1b0 [ 472.096136] ? asmexcpagefault+0x26/0x30 [ 472.096136] ? mutexlock+0x75/0xc0 [ 472.096136] ? mutexlock+0x88/0xc0 [ 472.096136] ? mutexlock+0x75/0xc0 [ 472.096136] l2capchan_timeo ---truncated---