CVE-2024-53208
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-53208
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-53208.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-53208
- Downstream
- Related
- Published
- 2024-12-27T13:49:54.122Z
- Modified
- 2025-11-20T07:47:38.490887Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Fix slab-use-after-free Read in setpoweredsync
This fixes the following crash:
================================================================== BUG: KASAN: slab-use-after-free in setpoweredsync+0x3a/0xc0 net/bluetooth/mgmt.c:1353 Read of size 8 at addr ffff888029b4dd18 by task kworker/u9:0/54
CPU: 1 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-01155-gf723224742fc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: hci0 hcicmdsyncwork Call Trace: <TASK> _dumpstack lib/dumpstack.c:93 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:119 printaddressdescription mm/kasan/report.c:377 [inline] printreport+0x169/0x550 mm/kasan/report.c:488 q kasanreport+0x143/0x180 mm/kasan/report.c:601 setpoweredsync+0x3a/0xc0 net/bluetooth/mgmt.c:1353 hcicmdsyncwork+0x22b/0x400 net/bluetooth/hcisync.c:328 processonework kernel/workqueue.c:3231 [inline] processscheduledworks+0xa2c/0x1830 kernel/workqueue.c:3312 workerthread+0x86d/0xd10 kernel/workqueue.c:3389 kthread+0x2f0/0x390 kernel/kthread.c:389 retfromfork+0x4b/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:244 </TASK>
Allocated by task 5247: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:370 [inline] _kasankmalloc+0x98/0xb0 mm/kasan/common.c:387 kasankmalloc include/linux/kasan.h:211 [inline] _kmalloccachenoprof+0x19c/0x2c0 mm/slub.c:4193 kmallocnoprof include/linux/slab.h:681 [inline] kzallocnoprof include/linux/slab.h:807 [inline] mgmtpendingnew+0x65/0x250 net/bluetooth/mgmtutil.c:269 mgmtpendingadd+0x36/0x120 net/bluetooth/mgmtutil.c:296 setpowered+0x3cd/0x5e0 net/bluetooth/mgmt.c:1394 hcimgmtcmd+0xc47/0x11d0 net/bluetooth/hcisock.c:1712 hcisocksendmsg+0x7b8/0x11c0 net/bluetooth/hcisock.c:1832 socksendmsgnosec net/socket.c:730 [inline] _socksendmsg+0x221/0x270 net/socket.c:745 sockwriteiter+0x2dd/0x400 net/socket.c:1160 newsyncwrite fs/readwrite.c:497 [inline] vfswrite+0xa72/0xc90 fs/readwrite.c:590 ksyswrite+0x1a0/0x2c0 fs/readwrite.c:643 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f
Freed by task 5246: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 kasansavefreeinfo+0x40/0x50 mm/kasan/generic.c:579 poisonslabobject+0xe0/0x150 mm/kasan/common.c:240 _kasanslabfree+0x37/0x60 mm/kasan/common.c:256 kasanslabfree include/linux/kasan.h:184 [inline] slabfreehook mm/slub.c:2256 [inline] slabfree mm/slub.c:4477 [inline] kfree+0x149/0x360 mm/slub.c:4598 settingsrsp+0x2bc/0x390 net/bluetooth/mgmt.c:1443 mgmtpendingforeach+0xd1/0x130 net/bluetooth/mgmtutil.c:259 _mgmtpoweroff+0x112/0x420 net/bluetooth/mgmt.c:9455 hcidevclosesync+0x665/0x11a0 net/bluetooth/hcisync.c:5191 hcidevdoclose net/bluetooth/hcicore.c:483 [inline] hcidevclose+0x112/0x210 net/bluetooth/hcicore.c:508 sockdoioctl+0x158/0x460 net/socket.c:1222 sockioctl+0x629/0x8e0 net/socket.c:1341 vfsioctl fs/ioctl.c:51 [inline] _dosysioctl fs/ioctl.c:907 [inline] _sesysioctl+0xfc/0x170 fs/ioctl.c:893 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83gv entrySYSCALL64after_hwframe+0x77/0x7f
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/0b882940665ca2849386ee459d4331aa2f8c4e7d
- https://git.kernel.org/stable/c/6b75f32bce90c085c89c45761373d940fdcff68c
- https://git.kernel.org/stable/c/87819234aa1d2a0cb0f962fabb335e798f5ec8b2
- https://git.kernel.org/stable/c/95f7a972194ad20696c36523b54c19a3567e0697
- https://git.kernel.org/stable/c/cdfc818ffdfeb8266351ed59b6d884056009a095
- https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced275f3f64870245b06188f24bdf917e55a813d294Fixedcdfc818ffdfeb8266351ed59b6d884056009a095
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced275f3f64870245b06188f24bdf917e55a813d294Fixed95f7a972194ad20696c36523b54c19a3567e0697
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced275f3f64870245b06188f24bdf917e55a813d294Fixed6b75f32bce90c085c89c45761373d940fdcff68c
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced275f3f64870245b06188f24bdf917e55a813d294Fixed87819234aa1d2a0cb0f962fabb335e798f5ec8b2
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced275f3f64870245b06188f24bdf917e55a813d294Fixed0b882940665ca2849386ee459d4331aa2f8c4e7d
Affected versions
v5.*
v6.*
Database specific
vanir_signatures
[
{
"target": {
"file": "net/bluetooth/mgmt.c"
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@87819234aa1d2a0cb0f962fabb335e798f5ec8b2",
"signature_version": "v1",
"id": "CVE-2024-53208-0e9643f3",
"digest": {
"line_hashes": [
"341678690309851767163700993006209542",
"202450616841820817347321422380973168271",
"60774214461542130947440224625449102196",
"32859457800318644467843494443649955168",
"178432407307036288808633182892977397178",
"15662932421070919607907194065580188137",
"28029928891307143903955912834134404686",
"86759286722130273629310951741396956126"
],
"threshold": 0.9
},
"signature_type": "Line"
},
{
"target": {
"file": "net/bluetooth/mgmt.c",
"function": "set_powered_sync"
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cdfc818ffdfeb8266351ed59b6d884056009a095",
"signature_version": "v1",
"id": "CVE-2024-53208-136d1d60",
"digest": {
"length": 187.0,
"function_hash": "27358712764052436510017170524720720280"
},
"signature_type": "Function"
},
{
"target": {
"file": "net/bluetooth/mgmt.c",
"function": "mgmt_set_powered_complete"
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cdfc818ffdfeb8266351ed59b6d884056009a095",
"signature_version": "v1",
"id": "CVE-2024-53208-271cc51e",
"digest": {
"length": 569.0,
"function_hash": "215626862703230380884500239070172055837"
},
"signature_type": "Function"
},
{
"target": {
"file": "net/bluetooth/mgmt.c"
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6b75f32bce90c085c89c45761373d940fdcff68c",
"signature_version": "v1",
"id": "CVE-2024-53208-8b1149d9",
"digest": {
"line_hashes": [
"341678690309851767163700993006209542",
"202450616841820817347321422380973168271",
"60774214461542130947440224625449102196",
"32859457800318644467843494443649955168",
"178432407307036288808633182892977397178",
"15662932421070919607907194065580188137",
"28029928891307143903955912834134404686",
"86759286722130273629310951741396956126"
],
"threshold": 0.9
},
"signature_type": "Line"
},
{
"target": {
"file": "net/bluetooth/mgmt.c"
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@95f7a972194ad20696c36523b54c19a3567e0697",
"signature_version": "v1",
"id": "CVE-2024-53208-8d20bbf5",
"digest": {
"line_hashes": [
"341678690309851767163700993006209542",
"202450616841820817347321422380973168271",
"60774214461542130947440224625449102196",
"32859457800318644467843494443649955168",
"178432407307036288808633182892977397178",
"15662932421070919607907194065580188137",
"28029928891307143903955912834134404686",
"86759286722130273629310951741396956126"
],
"threshold": 0.9
},
"signature_type": "Line"
},
{
"target": {
"file": "net/bluetooth/mgmt.c",
"function": "set_powered_sync"
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6b75f32bce90c085c89c45761373d940fdcff68c",
"signature_version": "v1",
"id": "CVE-2024-53208-ab04dbf5",
"digest": {
"length": 187.0,
"function_hash": "27358712764052436510017170524720720280"
},
"signature_type": "Function"
},
{
"target": {
"file": "net/bluetooth/mgmt.c",
"function": "set_powered_sync"
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@87819234aa1d2a0cb0f962fabb335e798f5ec8b2",
"signature_version": "v1",
"id": "CVE-2024-53208-c2bb7b3d",
"digest": {
"length": 187.0,
"function_hash": "27358712764052436510017170524720720280"
},
"signature_type": "Function"
},
{
"target": {
"file": "net/bluetooth/mgmt.c",
"function": "mgmt_set_powered_complete"
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@87819234aa1d2a0cb0f962fabb335e798f5ec8b2",
"signature_version": "v1",
"id": "CVE-2024-53208-c3709c33",
"digest": {
"length": 569.0,
"function_hash": "215626862703230380884500239070172055837"
},
"signature_type": "Function"
},
{
"target": {
"file": "net/bluetooth/mgmt.c",
"function": "mgmt_set_powered_complete"
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@95f7a972194ad20696c36523b54c19a3567e0697",
"signature_version": "v1",
"id": "CVE-2024-53208-c58ff702",
"digest": {
"length": 569.0,
"function_hash": "215626862703230380884500239070172055837"
},
"signature_type": "Function"
},
{
"target": {
"file": "net/bluetooth/mgmt.c",
"function": "mgmt_set_powered_complete"
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6b75f32bce90c085c89c45761373d940fdcff68c",
"signature_version": "v1",
"id": "CVE-2024-53208-cca410ca",
"digest": {
"length": 569.0,
"function_hash": "215626862703230380884500239070172055837"
},
"signature_type": "Function"
},
{
"target": {
"file": "net/bluetooth/mgmt.c",
"function": "set_powered_sync"
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@95f7a972194ad20696c36523b54c19a3567e0697",
"signature_version": "v1",
"id": "CVE-2024-53208-fb5809ad",
"digest": {
"length": 187.0,
"function_hash": "27358712764052436510017170524720720280"
},
"signature_type": "Function"
},
{
"target": {
"file": "net/bluetooth/mgmt.c"
},
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cdfc818ffdfeb8266351ed59b6d884056009a095",
"signature_version": "v1",
"id": "CVE-2024-53208-fccf4513",
"digest": {
"line_hashes": [
"341678690309851767163700993006209542",
"202450616841820817347321422380973168271",
"60774214461542130947440224625449102196",
"32859457800318644467843494443649955168",
"178432407307036288808633182892977397178",
"15662932421070919607907194065580188137",
"28029928891307143903955912834134404686",
"86759286722130273629310951741396956126"
],
"threshold": 0.9
},
"signature_type": "Line"
}
]